Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Overview

General Information

Sample name:SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Analysis ID:1638724
MD5:eb11183b01282bd6a62280b200b6a52f
SHA1:5c45eb1ee3f5a16b226eeaa8f637287b4e93bbee
SHA256:df52744df9ff4bd8dfb0b6e6e86f94d1d885caba0f2deb2f8a429978b475508a
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SOA - HUAFENG (JAN INVOICE OVERDUE).exe (PID: 7876 cmdline: "C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe" MD5: EB11183B01282BD6A62280B200B6A52F)
    • InstallUtil.exe (PID: 7920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 5536 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • StripAfterObfuscation.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe" MD5: EB11183B01282BD6A62280B200B6A52F)
      • InstallUtil.exe (PID: 7692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1198123003.00000000059A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59a0000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59a0000.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31741:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x3185d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31939:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a5f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , ProcessId: 5536, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7920, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49723
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs" , ProcessId: 5536, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeAvira: detection malicious, Label: TR/AD.GenSteal.jrsck
                    Found malware configuration
                    Source: 1.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeVirustotal: Detection: 65%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeReversingLabs: Detection: 55%
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeVirustotal: Detection: 50%Perma Link
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49722 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49729 version: TLS 1.2
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000004026000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198536378.0000000006040000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003924000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000004026000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198536378.0000000006040000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003924000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 4x nop then jmp 06037398h0_2_060372D8
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 4x nop then jmp 06037398h0_2_060372E0
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49723 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: InstallUtil.exe, 00000001.00000002.1321396874.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.00000000037E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49722 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49729 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, K6raBsUk6.cs.Net Code: UQgQ75

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_06038BB8 NtProtectVirtualMemory,0_2_06038BB8
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_0603C8B0 NtResumeThread,0_2_0603C8B0
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_06038BB0 NtProtectVirtualMemory,0_2_06038BB0
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_0603C8A8 NtResumeThread,0_2_0603C8A8
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_02B621590_2_02B62159
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_02B617970_2_02B61797
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_02B6B5900_2_02B6B590
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_02B6BB200_2_02B6BB20
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060357D00_2_060357D0
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_06030E500_2_06030E50
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060357C00_2_060357C0
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060310EF0_2_060310EF
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_06030E400_2_06030E40
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060CF7400_2_060CF740
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060CF4100_2_060CF410
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060CDE280_2_060CDE28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018BE5E01_2_018BE5E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018B4A901_2_018B4A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018BAA121_2_018BAA12
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018BDE181_2_018BDE18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018B3E781_2_018B3E78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018B41C01_2_018B41C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069565D81_2_069565D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069555C01_2_069555C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_06957D681_2_06957D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0695B2121_2_0695B212
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069530781_2_06953078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0695C1781_2_0695C178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069576881_2_06957688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_06955CCB1_2_06955CCB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_0695E3A01_2_0695E3A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069500401_2_06950040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_069500061_2_06950006
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_00A5215F10_2_00A5215F
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_00A5179710_2_00A51797
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_00A5B59010_2_00A5B590
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_00A5BB2010_2_00A5BB20
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_058DF41010_2_058DF410
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_058DF74010_2_058DF740
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_058DDE2810_2_058DDE28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0138E80111_2_0138E801
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0138AA2011_2_0138AA20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_01384A9811_2_01384A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_01383E8011_2_01383E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_013841C811_2_013841C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0138AA1A11_2_0138AA1A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665A6BC11_2_0665A6BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665A6B011_2_0665A6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665A39C11_2_0665A39C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665D7D011_2_0665D7D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665BC1811_2_0665BC18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_066655C011_2_066655C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_066665D811_2_066665D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666B22011_2_0666B220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666236011_2_06662360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666C17811_2_0666C178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06667D6811_2_06667D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666768811_2_06667688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666E3A011_2_0666E3A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666004011_2_06660040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06665CE011_2_06665CE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666003711_2_06660037
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0666000611_2_06660006
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003D61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMksynf.dll" vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000004026000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179016710.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198536378.0000000006040000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1196271357.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMksynf.dll" vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeBinary or memory string: OriginalFilenameWviim.exe, vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: StripAfterObfuscation.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, TransmitterService.csCryptographic APIs: 'CreateDecryptor'
                    Source: StripAfterObfuscation.exe.0.dr, TransmitterService.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs"
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeReversingLabs: Detection: 55%
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeVirustotal: Detection: 50%
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile read: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe "C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe"
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe "C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe"
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe "C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic file information: File size 1229824 > 1048576
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ba00
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000004026000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198536378.0000000006040000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003924000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000004026000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198536378.0000000006040000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003924000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.cs.Net Code: Type.GetTypeFromHandle(GACmB4mv9DKPhq0S3yw.Mh0f3i6p3O(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(GACmB4mv9DKPhq0S3yw.Mh0f3i6p3O(16777255)),Type.GetTypeFromHandle(GACmB4mv9DKPhq0S3yw.Mh0f3i6p3O(16777285))})
                    .NET source code contains potential unpacker
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, AuthenticatorParser.cs.Net Code: VerifyMixedAuthenticator System.AppDomain.Load(byte[])
                    Source: StripAfterObfuscation.exe.0.dr, AuthenticatorParser.cs.Net Code: VerifyMixedAuthenticator System.AppDomain.Load(byte[])
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3fd6770.0.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.6040000.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59a0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59a0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1198123003.00000000059A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: StripAfterObfuscation.exe PID: 7884, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeCode function: 0_2_060B6507 push ecx; iretd 0_2_060B650C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018B0C45 push ebx; retf 1_2_018B0C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_018B0C6D push edi; retf 1_2_018B0C7A
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeCode function: 10_2_058C6507 push ecx; iretd 10_2_058C650C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_01380C6D push edi; retf 11_2_01380C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_01380C45 push ebx; retf 11_2_01380C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06654D20 push es; ret 11_2_06654D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_06654D20 push esp; iretd 11_2_06654DA5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_066536B0 push ebp; iretd 11_2_0665371D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_066555E0 push esp; iretd 11_2_066555F4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_066555C0 push esp; iretd 11_2_066555D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665FB42 push es; ret 11_2_0665FB44
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 11_2_0665FB3D push es; ret 11_2_0665FB40
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exeStatic PE information: section name: .text entropy: 7.927505955802021
                    Source: StripAfterObfuscation.exe.0.drStatic PE information: section name: .text entropy: 7.927505955802021
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, GaDrccm07CVSnLaJyBG.csHigh entropy of concatenated method names: 'EfBm7AyKRR', 'W4qmZN1iJS', 'O2hmcOUggQ', 'ni5mOHUD7k', 'p6QmTlNKne', 'TMUmffQ3OQ', 'm1GmbGZm4N', 'S0wmXjSW8b', 'G9Sm1qwJxa', 'EShmuXeMN4'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, IIaKRb43YlSf1CSbtjV.csHigh entropy of concatenated method names: 'Upg4W1LG3I', 'vHS4mnMPhP', 'ni54p1299Z', 'rjC4DqZ1Wp', 'F644nxOY7u', 'V1N4Q5A5Yf', 'jxw4GNNQ01', 'Nji4Ae8m6d', 'hBF42eka6w', 'XYo4SHnHRJ'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, fU1piY3XQ1rbFW8Y757.csHigh entropy of concatenated method names: 'oTP5DYXmWB', 'UUV5FC7iYj', 'G9k5npDAQD', 'WdhZo3Z24nWnvK4JkUI', 'JgsK4nZM20lMauBXaVC', 'ioX3uP6J0v', 'gOg3RktkI9', 'xXK3r90ve3', 'vN63zZCE4h', 'www5xweO6L'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, mx3a5BUcP6pffksFL3P.csHigh entropy of concatenated method names: 'wWvUTyF8Iv', 'aD7UbKs8EI', 'w5xU1JtVwW', 'P1RURCJkIm', 'DZMUrX0F09', 'XJwUzATG4Z', 'P24qxF5Gr7', 'BJ7q4stf0p', 'URBqhPJVp2', 'fsUqNM1fMa'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, CHd0IVmRnwWjM9Onj7r.csHigh entropy of concatenated method names: 'm636rNPrmj', 'X496z88FLw', 'sm0Qx3IgsQ', 'RRHQ4pBfIH', 'jHEQhqaFVB', 'NsLQNTpNxW', 'yYXQJrjVMu', 'KAhEQUlRxS', 'nluQisCLMi', 'ASUQUi3MKR'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, XAjROYWYNudYRK1T5CX.csHigh entropy of concatenated method names: 'lZR5CFcUCIjGXsNHget', 'j88En4cqUjaEiHiFJtW', 'FramjMBbbt', 'vh0ry9Sq2v', 'A2cmps8Q7q', 'DCWmyWeue8', 'e8NmDGH3fq', 'Y08mFk0co2', 'RG7fe2FleL', 'Qe0WkhQOob'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3d65570.3.raw.unpack, KHUd8T57BQFXNHjPoes.csHigh entropy of concatenated method names: 'ONj5fMQ7um', 'ASS5bCGpgx', 'HpH5XprFbp', 'fKn51xdTeP', 'jQp5uLmBj4', 'Avv5R50jux', 'kOA5rCarj3', 'mBB5zIA88p', 'gbkWx6XBaS', 'y8yW4iSlcd'
                    Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.53b0000.6.raw.unpack, IIaKRb43YlSf1CSbtjV.csHigh entropy of concatenated method names: 'Upg4W1LG3I', 'vHS4mnMPhP', 'ni54p1299Z', 'rjC4DqZ1Wp', 'F644nxOY7u', 'V1N4Q5A5Yf', 'jxw4GNNQ01', 'Nji4Ae8m6d', 'hBF42eka6w', 'XYo4SHnHRJ'
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: \soa - huafeng (jan invoice overdue).exe
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: \soa - huafeng (jan invoice overdue).exeJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbsJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbsJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: StripAfterObfuscation.exe PID: 7884, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2727Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1316Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8529Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8152Thread sleep count: 7109 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8152Thread sleep count: 2727 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99240s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99121s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -98016s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97780s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96841s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96606s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96496s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96380s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95576s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -95015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94678s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -94098s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8148Thread sleep time: -93957s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99872s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep count: 1316 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep count: 8529 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -98063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -97062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96842s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96623s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96405s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96240s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -96065s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7468Thread sleep time: -94375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99240Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99121Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96841Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96606Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96496Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96380Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95576Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94678Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94098Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93957Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96623Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96405Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96240Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96065Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94375Jump to behavior
                    Source: wscript.exe, 00000009.00000002.1305628648.000001AB49EE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                    Source: InstallUtil.exe, 00000001.00000002.1329199133.0000000005662000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
                    Source: InstallUtil.exe, 0000000B.00000002.2428144406.0000000006126000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu#O
                    Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1196271357.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: NdHGfstnl5TVO09icdQ
                    Source: StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: DA8008Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe "C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeQueries volume information: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeQueries volume information: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\StripAfterObfuscation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1321396874.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1321396874.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2420639280.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: StripAfterObfuscation.exe PID: 7884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7692, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1321396874.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2420639280.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: StripAfterObfuscation.exe PID: 7884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7692, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.40b1ea8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1321396874.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1321396874.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2420639280.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 7876, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: StripAfterObfuscation.exe PID: 7884, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7692, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		311
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		22
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638724 Sample: SOA - HUAFENG (JAN INVOICE ... Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 29 mail.iaa-airferight.com 2->29 31 api.ipify.org 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 12 other signatures 2->43 8 SOA - HUAFENG (JAN INVOICE OVERDUE).exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 23 C:\Users\user\...\StripAfterObfuscation.exe, PE32 8->23 dropped 25 StripAfterObfuscat...exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\...\StripAfterObfuscation.vbs, ASCII 8->27 dropped 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 55 Writes to foreign memory regions 8->55 57 Injects a PE file into a foreign processes 8->57 14 InstallUtil.exe 15 2 8->14         started        59 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->59 18 StripAfterObfuscation.exe 2 12->18         started        signatures6 process7 dnsIp8 33 api.ipify.org 172.67.74.152, 443, 49722, 49729 CLOUDFLARENETUS United States 14->33 35 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->35 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->63 65 Tries to steal Mail credentials (via file / registry access) 14->65 67 Antivirus detection for dropped file 18->67 69 Multi AV Scanner detection for dropped file 18->69 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->45 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal ftp login credentials 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SOA - HUAFENG (JAN INVOICE OVERDUE).exe56%ReversingLabsWin32.Trojan.Jalapeno
                    SOA - HUAFENG (JAN INVOICE OVERDUE).exe51%VirustotalBrowse
                    SOA - HUAFENG (JAN INVOICE OVERDUE).exe100%AviraTR/AD.GenSteal.jrsck

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe100%AviraTR/AD.GenSteal.jrsck
                    C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe56%ReversingLabsWin32.Trojan.Jalapeno
                    C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe66%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://github.com/mgravell/protobuf-netSOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.orgSOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netiSOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netJSOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.00000000037E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org/tInstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1321396874.0000000003171000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/2152978/23354SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1198290054.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, StripAfterObfuscation.exe, 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://mail.iaa-airferight.comInstallUtil.exe, 00000001.00000002.1321396874.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                46.175.148.58
                                                		mail.iaa-airferight.comUkraine
                                                		56394ASLAGIDKOM-NETUAfalse
                                                172.67.74.152
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1638724
                                                Start date and time:2025-03-14 16:56:12 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 1s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:15
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 220
                                                • Number of non-executed functions: 19
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.109.210.53
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target StripAfterObfuscation.exe, PID 7884 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:57:17API Interceptor278x Sleep call for process: InstallUtil.exe modified
                                                15:57:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                46.175.148.58payment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                  purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                    SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                      T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                        Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                          Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                            SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                              pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    172.67.74.152Service.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • api.ipify.org/
                                                                    Editing.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/?format=xml

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    mail.iaa-airferight.compayment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    api.ipify.orghttp://www.policy-violation-10094985.victoriakent.co.uk/Get hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    http://bttinter.vercel.app/Get hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    1. Vessel Details of WBC TBN 1.pdf.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    I_ Order.msgGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    I_ Order.msgGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    https://forms.office.com/e/pnG8K1BDnsGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                    • 172.67.74.152
                                                                    https://trustwalletrate.comGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    New_Voicemail_Peterborough_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.26.12.205
                                                                    New_Voicemail_ Peterborough_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.26.12.205
                                                                    brave.ps1Get hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ASLAGIDKOM-NETUApayment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    CLOUDFLARENETUShttps://analytics.zoho.com/open-view/3065751000000004143Get hashmaliciousHTMLPhisherBrowse
                                                                    • 104.18.11.207
                                                                    stk.vmp.dllGet hashmaliciousUnknownBrowse
                                                                    • 172.67.69.236
                                                                    https://gqr.sh/rRYLGet hashmaliciousHTMLPhisherBrowse
                                                                    • 104.16.124.96
                                                                    trzRv3D3.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.207.51
                                                                    809e682faadb839aaf9e5e6b171dfa3e.ps1Get hashmaliciousUnknownBrowse
                                                                    • 104.17.150.117
                                                                    file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.96.1
                                                                    http://spfda.goelia1995.comGet hashmaliciousUnknownBrowse
                                                                    • 172.64.147.119
                                                                    http://onllyfans.me/Get hashmaliciousUnknownBrowse
                                                                    • 104.16.79.73
                                                                    https://voice.araboglu55.com.tr/rWW8QGet hashmaliciousUnknownBrowse
                                                                    • 172.67.200.3
                                                                    ATT50896.svgGet hashmaliciousHTMLPhisherBrowse
                                                                    • 172.67.158.181

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0etrzRv3D3.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 172.67.74.152
                                                                    809e682faadb839aaf9e5e6b171dfa3e.ps1Get hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 172.67.74.152
                                                                    SecuriteInfo.com.W32.Lolbas.A.tr.14539.2076.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    • 172.67.74.152
                                                                    SecuriteInfo.com.W32.Lolbas.A.tr.14539.2076.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    • 172.67.74.152
                                                                    7495 P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 172.67.74.152
                                                                    Solara.exe.bin.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                    • 172.67.74.152
                                                                    StormKittyXZeroTrace.exe.bin.exeGet hashmaliciousStormKittyBrowse
                                                                    • 172.67.74.152
                                                                    Cqqjbi.exeGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152
                                                                    Cqqjbi.exeGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):96
                                                                    Entropy (8bit):4.751324158019611
                                                                    Encrypted:false
                                                                    SSDEEP:3:FER/n0eFHHot+kiEaKC55ONAX8W8LJHHHn:FER/lFHIwknaZ551X9u
                                                                    MD5:AE4A89D33EF308DEF01BD0149F948201
                                                                    SHA1:0EE0D18A313CB39714040362B9C41F81A6564D04
                                                                    SHA-256:E9372E10BF9453011B870674694BA84E5311A9086DD038B7C03C06FBA6ED922C
                                                                    SHA-512:8B3DDD385A6F27C1D55C10FDA42DB1098F7882E2EC14AC6718DD8061A24336499A3E0919B1F5C0C1F17CDCB99308428E2E0740026C739AE680BE08C4BEC034C0
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe"""

                                                                    C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1229824
                                                                    Entropy (8bit):7.923561130390634
                                                                    Encrypted:false
                                                                    SSDEEP:24576:Zmuil1zWDv0GtEg9iNVqB6dDG5Ts8uN3IbpUcGMatXpfDG:JiU8GtALqS84pNCpUltXJG
                                                                    MD5:EB11183B01282BD6A62280B200B6A52F
                                                                    SHA1:5C45EB1EE3F5A16B226EEAA8F637287B4E93BBEE
                                                                    SHA-256:DF52744DF9FF4BD8DFB0B6E6E86F94D1D885CABA0F2DEB2F8A429978B475508A
                                                                    SHA-512:D802B19C2684225C594E75AA5BF0A51386A434ACC1302E7F31FA4E02494232C96DE2BF29CE72556AE175AD3E9252E257305B5C39C9419798F74F77895F577D4A
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 56%
                                                                    • Antivirus: Virustotal, Detection: 66%, Browse
                                                                    Reputation:low
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.g................................. ........@.. ....................... ............`.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............6...........&..............................................*...(....*..0.......... ........8........E............8......(....o....(....(.... ....~....{....9....& ....8........E........8.......... ....~....{....9....& ....8........E....:.......85...r...p..o....(....(.... ....~....{....9....& ....8......... ....~....{....:....& ....8....*.........%.Kp.q....&~.......*...~....*..0..7.........(....}.......}.......}......|......(...+..|....(....*..0../.........(....}

                                                                    C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.923561130390634
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                                    File size:1'229'824 bytes
                                                                    MD5:eb11183b01282bd6a62280b200b6a52f
                                                                    SHA1:5c45eb1ee3f5a16b226eeaa8f637287b4e93bbee
                                                                    SHA256:df52744df9ff4bd8dfb0b6e6e86f94d1d885caba0f2deb2f8a429978b475508a
                                                                    SHA512:d802b19c2684225c594e75aa5bf0a51386a434acc1302e7f31fa4e02494232c96de2bf29ce72556ae175ad3e9252e257305b5c39c9419798f74f77895f577d4a
                                                                    SSDEEP:24576:Zmuil1zWDv0GtEg9iNVqB6dDG5Ts8uN3IbpUcGMatXpfDG:JiU8GtALqS84pNCpUltXJG
                                                                    TLSH:BF451206778A5921CA866FB7DEC54420DFB5E442FE13E75B319D23B84903B19BF0A386
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.g................................. ........@.. ....................... ............`................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x52d9de
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x67D365E1 [Thu Mar 13 23:10:25 2025 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x12d9900x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x12e0000x588.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1300000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x12b9e40x12ba00c0fa24eaa817bfc394a3bf16e713f0a1False0.939289346057572data7.927505955802021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x12e0000x5880x600e0240e961b2b14fce0efa53b2fa7ffa8False0.4173177083333333data4.025184842792837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1300000xc0x200af6d6ac48744fd50b79821bd5bdf45b8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x12e0a00x2fcdata0.43848167539267013
                                                                    RT_MANIFEST0x12e39c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    Comments
                                                                    CompanyName
                                                                    FileDescriptionWviim
                                                                    FileVersion1.0.0.0
                                                                    InternalNameWviim.exe
                                                                    LegalCopyrightCopyright 2012
                                                                    LegalTrademarks
                                                                    OriginalFilenameWviim.exe
                                                                    ProductNameWviim
                                                                    ProductVersion1.0.0.0
                                                                    Assembly Version1.0.0.0

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 14, 2025 16:57:17.076905012 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.076948881 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.077035904 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.111015081 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.111047029 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.605719090 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.605804920 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.615319014 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.615343094 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.615737915 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.658958912 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.688735962 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.732326984 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.803154945 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.803231001 CET44349722172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:17.803287029 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:17.810256004 CET49722443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:18.853096008 CET4972325192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:19.862107992 CET4972325192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:21.862140894 CET4972325192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:25.862123966 CET4972325192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:29.880667925 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:29.880733013 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:29.884310007 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:29.887613058 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:29.887629032 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.340868950 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.340950966 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:30.353977919 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:30.353987932 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.354264975 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.409003973 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:30.563067913 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:30.604330063 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.667453051 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.667516947 CET44349729172.67.74.152192.168.2.4
                                                                    Mar 14, 2025 16:57:30.667563915 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:30.670723915 CET49729443192.168.2.4172.67.74.152
                                                                    Mar 14, 2025 16:57:31.204052925 CET4973025192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:32.362159014 CET4973025192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:34.362181902 CET4973025192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:38.377756119 CET4973025192.168.2.446.175.148.58
                                                                    Mar 14, 2025 16:57:46.393467903 CET4973025192.168.2.446.175.148.58

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 14, 2025 16:57:17.044240952 CET6378753192.168.2.41.1.1.1
                                                                    Mar 14, 2025 16:57:17.050961018 CET53637871.1.1.1192.168.2.4
                                                                    Mar 14, 2025 16:57:18.836347103 CET5863253192.168.2.41.1.1.1
                                                                    Mar 14, 2025 16:57:18.851207972 CET53586321.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Mar 14, 2025 16:57:17.044240952 CET192.168.2.41.1.1.10x9cecStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                    Mar 14, 2025 16:57:18.836347103 CET192.168.2.41.1.1.10x8edeStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Mar 14, 2025 16:57:17.050961018 CET1.1.1.1192.168.2.40x9cecNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                    Mar 14, 2025 16:57:17.050961018 CET1.1.1.1192.168.2.40x9cecNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                    Mar 14, 2025 16:57:17.050961018 CET1.1.1.1192.168.2.40x9cecNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                    Mar 14, 2025 16:57:18.851207972 CET1.1.1.1192.168.2.40x8edeNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • api.ipify.org

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449722172.67.74.1524437920C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2025-03-14 15:57:17 UTC155OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                    Host: api.ipify.org
                                                                    Connection: Keep-Alive
                                                                    2025-03-14 15:57:17 UTC424INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Mar 2025 15:57:17 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 12
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    cf-cache-status: DYNAMIC
                                                                    Server: cloudflare
                                                                    CF-RAY: 9204f749eb292363-EWR
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2001&rtt_var=755&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=1446260&cwnd=225&unsent_bytes=0&cid=069b3d852da3f945&ts=209&x=0"
                                                                    2025-03-14 15:57:17 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                    Data Ascii: 8.46.123.189


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449729172.67.74.1524437692C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2025-03-14 15:57:30 UTC155OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                    Host: api.ipify.org
                                                                    Connection: Keep-Alive
                                                                    2025-03-14 15:57:30 UTC424INHTTP/1.1 200 OK
                                                                    Date: Fri, 14 Mar 2025 15:57:30 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 12
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    cf-cache-status: DYNAMIC
                                                                    Server: cloudflare
                                                                    CF-RAY: 9204f79a5d4a14a8-EWR
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1664&rtt_var=630&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=1727810&cwnd=162&unsent_bytes=0&cid=af730bd3d7d08164&ts=330&x=0"
                                                                    2025-03-14 15:57:30 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                    Data Ascii: 8.46.123.189


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:11:57:13
                                                                    Start date:14/03/2025
                                                                    Path:C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe"
                                                                    Imagebase:0x8d0000
                                                                    File size:1'229'824 bytes
                                                                    MD5 hash:EB11183B01282BD6A62280B200B6A52F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1198123003.00000000059A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1194617915.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1194617915.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1179899612.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:11:57:14
                                                                    Start date:14/03/2025
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0xbf0000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1314016194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1321396874.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1321396874.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1321396874.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:11:57:26
                                                                    Start date:14/03/2025
                                                                    Path:C:\Windows\System32\wscript.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StripAfterObfuscation.vbs"
                                                                    Imagebase:0x7ff6f0fb0000
                                                                    File size:170'496 bytes
                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:11:57:27
                                                                    Start date:14/03/2025
                                                                    Path:C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\StripAfterObfuscation.exe"
                                                                    Imagebase:0x100000
                                                                    File size:1'229'824 bytes
                                                                    MD5 hash:EB11183B01282BD6A62280B200B6A52F
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.1316095915.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1341237485.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 56%, ReversingLabs
                                                                    • Detection: 66%, Virustotal, Browse
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:11:57:28
                                                                    Start date:14/03/2025
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0xa30000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2420639280.0000000002D8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2420639280.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2420639280.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >