Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New requirement Orders.exe

Overview

General Information

Sample name:New requirement Orders.exe
Analysis ID:1640572
MD5:f7be7513de4566c4c67e860e85c4d6ab
SHA1:d522ac7d5009e66e3aaddc819d4124422e460ebf
SHA256:27bd5e4723cf6f83c2f4a5669ed07025c8c7925ee09b59861c6ec6009615e28d
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New requirement Orders.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\New requirement Orders.exe" MD5: F7BE7513DE4566C4C67E860E85C4D6AB)
    • InstallUtil.exe (PID: 7112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • MpCmdRun.exe (PID: 7768 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 7296 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • DateEnd.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Roaming\DateEnd.exe" MD5: F7BE7513DE4566C4C67E860E85C4D6AB)
      • InstallUtil.exe (PID: 7392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.1405894268.000000000439C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.New requirement Orders.exe.466cdaa.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.New requirement Orders.exe.5e40000.11.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                9.2.DateEnd.exe.439c590.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.New requirement Orders.exe.466cdaa.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 23 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , ProcessId: 7296, ProcessName: wscript.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7112, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49688
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs" , ProcessId: 7296, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\New requirement Orders.exe, ProcessId: 6920, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: New requirement Orders.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeAvira: detection malicious, Label: TR/AD.GenSteal.kpetg
                      Found malware configuration
                      Source: 2.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeReversingLabs: Detection: 72%
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeVirustotal: Detection: 63%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: New requirement Orders.exeVirustotal: Detection: 63%Perma Link
                      Source: New requirement Orders.exeReversingLabs: Detection: 72%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: New requirement Orders.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49685 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49689 version: TLS 1.2
                      Source: New requirement Orders.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: New requirement Orders.exe, 00000000.00000002.1261353413.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.000000000450A000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004161000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: New requirement Orders.exe, 00000000.00000002.1261353413.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.000000000450A000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004161000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                      Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.6:49688 -> 46.175.148.58:25
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                      Source: InstallUtil.exe, 00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.000000000315C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                      Source: New requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49685 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49689 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New requirement Orders.exe.481a9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.DateEnd.exe.428f570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New requirement Orders.exe.481a9b0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.DateEnd.exe.428f570.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New requirement Orders.exe.46ec590.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: New requirement Orders.exe
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_017125D00_2_017125D0
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_017129B80_2_017129B8
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_01711FC00_2_01711FC0
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_0171C3880_2_0171C388
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_017125EE0_2_017125EE
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_017129A80_2_017129A8
                      Source: C:\Users\user\Desktop\New requirement Orders.exeCode function: 0_2_0171BDF80_2_0171BDF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D0E4802_2_00D0E480
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D0A9472_2_00D0A947
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D04A902_2_00D04A90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D0DCB82_2_00D0DCB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D03E782_2_00D03E78
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D041C02_2_00D041C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06257D682_2_06257D68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062555882_2_06255588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062565E02_2_062565E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0625B20F2_2_0625B20F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062530402_2_06253040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062576882_2_06257688
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06255CD32_2_06255CD3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062523492_2_06252349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0625E3882_2_0625E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062500402_2_06250040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_062500062_2_06250006
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F25D09_2_010F25D0
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F29B89_2_010F29B8
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F1FC09_2_010F1FC0
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010FC3889_2_010FC388
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F25EE9_2_010F25EE
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F29A89_2_010F29A8
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010FBDF89_2_010FBDF8
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B00409_2_054B0040
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B5F509_2_054B5F50
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B19A39_2_054B19A3
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054BD6109_2_054BD610
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054BD6209_2_054BD620
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B76809_2_054B7680
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B76909_2_054B7690
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B41D89_2_054B41D8
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B00069_2_054B0006
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054B5F429_2_054B5F42
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CECD09_2_054CECD0
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CA9989_2_054CA998
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C8C089_2_054C8C08
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C8C189_2_054C8C18
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C1F779_2_054C1F77
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C0FD09_2_054C0FD0
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CEFF79_2_054CEFF7
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C1F889_2_054C1F88
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C2FA59_2_054C2FA5
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CB6C89_2_054CB6C8
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C76A49_2_054C76A4
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CB6BA9_2_054CB6BA
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054CA9889_2_054CA988
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0132E6A110_2_0132E6A1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0132A94F10_2_0132A94F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01324A9810_2_01324A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01323E8010_2_01323E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_013241C810_2_013241C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3A25C10_2_06B3A25C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3B88010_2_06B3B880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4558810_2_06B45588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B465E010_2_06B465E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4B20F10_2_06B4B20F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4304010_2_06B43040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B47D6810_2_06B47D68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4768810_2_06B47688
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4E38810_2_06B4E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4234A10_2_06B4234A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4004010_2_06B40040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B45CD310_2_06B45CD3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4000610_2_06B40006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B4019110_2_06B40191
                      Source: New requirement Orders.exe, 00000000.00000002.1232664798.000000000132E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUljeghkmtpw.dll" vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1261353413.0000000005F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1259095254.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUljeghkmtpw.dll" vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.000000000450A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUayykxivqjs.exe8 vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1233916159.0000000003569000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs New requirement Orders.exe
                      Source: New requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs New requirement Orders.exe
                      Source: New requirement Orders.exeBinary or memory string: OriginalFilenameUayykxivqjs.exe8 vs New requirement Orders.exe
                      Source: New requirement Orders.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New requirement Orders.exe.481a9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.DateEnd.exe.428f570.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New requirement Orders.exe.481a9b0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.DateEnd.exe.428f570.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New requirement Orders.exe.46ec590.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: New requirement Orders.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DateEnd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: New requirement Orders.exe, DetailedDecorator.csCryptographic APIs: 'CreateDecryptor'
                      Source: DateEnd.exe.0.dr, DetailedDecorator.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/4@2/2
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7776:120:WilError_03
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs"
                      Source: New requirement Orders.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: New requirement Orders.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: New requirement Orders.exeVirustotal: Detection: 63%
                      Source: New requirement Orders.exeReversingLabs: Detection: 72%
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile read: C:\Users\user\Desktop\New requirement Orders.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\New requirement Orders.exe "C:\Users\user\Desktop\New requirement Orders.exe"
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\DateEnd.exe "C:\Users\user\AppData\Roaming\DateEnd.exe"
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\DateEnd.exe "C:\Users\user\AppData\Roaming\DateEnd.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: New requirement Orders.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: New requirement Orders.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: New requirement Orders.exeStatic file information: File size 1238016 > 1048576
                      Source: New requirement Orders.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12da00
                      Source: New requirement Orders.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: New requirement Orders.exe, 00000000.00000002.1261353413.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.000000000450A000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004161000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: New requirement Orders.exe, 00000000.00000002.1261353413.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.000000000450A000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004161000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: New requirement Orders.exe, EditableStub.cs.Net Code: GenerateLogicalStub System.AppDomain.Load(byte[])
                      Source: DateEnd.exe.0.dr, EditableStub.cs.Net Code: GenerateLogicalStub System.AppDomain.Load(byte[])
                      Source: 0.2.New requirement Orders.exe.4419a00.0.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.New requirement Orders.exe.4419a00.0.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.New requirement Orders.exe.4419a00.0.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.New requirement Orders.exe.4419a00.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.New requirement Orders.exe.4419a00.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.New requirement Orders.exe.45accd0.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.New requirement Orders.exe.455ccb0.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.466cdaa.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.5e40000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.439c590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.466cdaa.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.439c590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.5e40000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.1405894268.000000000439C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1260934868.0000000005E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.0000000004623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New requirement Orders.exe PID: 6920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DateEnd.exe PID: 7356, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D00C53 push ebx; retf 2_2_00D00C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D00C45 push ebx; retf 2_2_00D00C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00D00C6D push edi; retf 2_2_00D00C7A
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_010F066A push esp; ret 9_2_010F06D9
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C5507 push cs; retf 9_2_054C550F
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C5CE6 push edx; retf 9_2_054C5CE7
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C54B5 push edi; retf 9_2_054C54C6
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeCode function: 9_2_054C19DD push FFFFFFAAh; iretd 9_2_054C19DF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01320C6D push edi; retf 10_2_01320C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01320C45 push ebx; retf 10_2_01320C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3E7A3 push eax; ret 10_2_06B3E7AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3E7A0 push eax; ret 10_2_06B3E7A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3800B push ss; ret 10_2_06B38012
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B38008 push ss; ret 10_2_06B3800A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B38078 push ss; ret 10_2_06B3807A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B3E820 push eax; ret 10_2_06B3E82A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B334E3 push es; retf 10_2_06B334E4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B37CD1 push cs; ret 10_2_06B37CD2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B37C31 push cs; ret 10_2_06B37C32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B37C01 push cs; ret 10_2_06B37C02
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06B33A40 push FC06C2DAh; retf 10_2_06B33A4D
                      Source: New requirement Orders.exeStatic PE information: section name: .text entropy: 7.924305190823011
                      Source: DateEnd.exe.0.drStatic PE information: section name: .text entropy: 7.924305190823011
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile created: C:\Users\user\AppData\Roaming\DateEnd.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbsJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbsJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: New requirement Orders.exe PID: 6920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DateEnd.exe PID: 7356, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: New requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\New requirement Orders.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeMemory allocated: 5170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeMemory allocated: 10F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2184Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7667Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1799Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8052Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608Thread sleep count: 2184 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3608Thread sleep count: 7667 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99327s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99218s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -99093s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98869s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98748s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98599s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98373s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98154s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -98046s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97935s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97719s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97390s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -97062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96405s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96199s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -96075s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95787s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95672s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95341s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95234s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95125s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -95016s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94906s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94797s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94687s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94344s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94234s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6640Thread sleep time: -94125s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528Thread sleep count: 1799 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99873s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7528Thread sleep count: 8052 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -99000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98668s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98560s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98343s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98234s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98125s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -98015s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97906s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97795s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97685s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97250s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -97031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96922s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96700s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96592s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96372s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -96054s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95936s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95719s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95391s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -95062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7520Thread sleep time: -94406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99327Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99218Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99093Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98869Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98748Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98599Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98373Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98154Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98046Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97935Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97390Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96405Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96199Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96075Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95787Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95672Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95341Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95234Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95125Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95016Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94797Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94234Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94125Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99873Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98668Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98560Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98343Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98234Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98125Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98015Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97795Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97685Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96700Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96592Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96372Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96054Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95936Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95719Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94406Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: InstallUtil.exe, 00000002.00000002.1375127089.0000000000AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                      Source: DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: InstallUtil.exe, 0000000A.00000002.2500377987.0000000006450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\DateEnd.exe "C:\Users\user\AppData\Roaming\DateEnd.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeQueries volume information: C:\Users\user\Desktop\New requirement Orders.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeQueries volume information: C:\Users\user\AppData\Roaming\DateEnd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DateEnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\New requirement Orders.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.46ec590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2492055778.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1377368007.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New requirement Orders.exe PID: 6920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DateEnd.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7392, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.46ec590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1377368007.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New requirement Orders.exe PID: 6920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DateEnd.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7392, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.481a9b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.DateEnd.exe.428f570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.46ec590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.New requirement Orders.exe.42813a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2492055778.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1377368007.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: New requirement Orders.exe PID: 6920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7112, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DateEnd.exe PID: 7356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7392, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts131
                      Windows Management Instrumentation                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Credentials in Registry                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		Security Account Manager321
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		2
                      Registry Run Keys / Startup Folder                      		12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture23
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640572 Sample: New requirement Orders.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 37 mail.iaa-airferight.com 2->37 39 api.ipify.org 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 10 other signatures 2->47 8 wscript.exe 1 2->8         started        11 New requirement Orders.exe 5 2->11         started        signatures3 process4 file5 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->57 14 DateEnd.exe 2 8->14         started        27 C:\Users\user\AppData\Roaming\DateEnd.exe, PE32 11->27 dropped 29 C:\Users\user\AppData\Roaming\...\DateEnd.vbs, ASCII 11->29 dropped 31 C:\Users\user\...\DateEnd.exe:Zone.Identifier, ASCII 11->31 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->59 17 InstallUtil.exe 15 2 11->17         started        20 MpCmdRun.exe 1 11->20         started        signatures6 process7 dnsIp8 61 Antivirus detection for dropped file 14->61 63 Multi AV Scanner detection for dropped file 14->63 22 InstallUtil.exe 2 14->22         started        33 api.ipify.org 104.26.12.205, 443, 49685, 49689 CLOUDFLARENETUS United States 17->33 35 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 17->35 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->67 69 Tries to steal Mail credentials (via file / registry access) 17->69 25 conhost.exe 20->25         started        signatures9 process10 signatures11 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->49 51 Tries to steal Mail credentials (via file / registry access) 22->51 53 Tries to harvest and steal ftp login credentials 22->53 55 Tries to harvest and steal browser information (history, passwords, etc) 22->55

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      New requirement Orders.exe63%VirustotalBrowse
                      New requirement Orders.exe72%ReversingLabsWin32.Trojan.RedLineStealer
                      New requirement Orders.exe100%AviraTR/AD.GenSteal.kpetg

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\DateEnd.exe100%AviraTR/AD.GenSteal.kpetg
                      C:\Users\user\AppData\Roaming\DateEnd.exe72%ReversingLabsWin32.Trojan.RedLineStealer
                      C:\Users\user\AppData\Roaming\DateEnd.exe63%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.iaa-airferight.com
                      		46.175.148.58
                      		truefalse
                        		high
                        api.ipify.org
                        		104.26.12.205
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/mgravell/protobuf-netNew requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.orgNew requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/mgravell/protobuf-netiNew requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/14436606/23354New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://account.dyn.com/New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/mgravell/protobuf-netJNew requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ipify.org/tInstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew requirement Orders.exe, 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1377368007.0000000002871000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.00000000030EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/11564914/23354;New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://stackoverflow.com/q/2152978/23354New requirement Orders.exe, 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, New requirement Orders.exe, 00000000.00000002.1261156700.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.0000000004077000.00000004.00000800.00020000.00000000.sdmp, DateEnd.exe, 00000009.00000002.1405894268.00000000040B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://mail.iaa-airferight.comInstallUtil.exe, 00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2492055778.000000000315C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.26.12.205
                                                  		api.ipify.orgUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  46.175.148.58
                                                  		mail.iaa-airferight.comUkraine
                                                  		56394ASLAGIDKOM-NETUAfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1640572
                                                  Start date and time:2025-03-17 13:12:56 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 32s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:15
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:New requirement Orders.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@10/4@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 321
                                                  • Number of non-executed functions: 4
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50, 172.202.163.200
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target DateEnd.exe, PID 7356 because it is empty
                                                  • Execution Graph export aborted for target New requirement Orders.exe, PID 6920 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:13:54API Interceptor285x Sleep call for process: InstallUtil.exe modified
                                                  08:14:57API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                  13:13:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  104.26.12.205ue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  LauncherV9.exeGet hashmaliciousLummaC StealerBrowse
                                                  • api.ipify.org/
                                                  Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/?format=xml
                                                  NightFixed 1.0.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                  • api.ipify.org/
                                                  VRChat_ERP_Setup 1.0.0.msiGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  wEY98gM1Jj.ps1Get hashmaliciousLummaC StealerBrowse
                                                  • api.ipify.org/
                                                  oNvY66Z8jp.ps1Get hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  Pmw24ExIdx.ps1Get hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  DeepLauncher.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  46.175.148.58SecuriteInfo.com.Win32.PWSX-gen.11592.10317.exeGet hashmaliciousAgentTeslaBrowse
                                                    SecuriteInfo.com.Win32.PWSX-gen.22728.13847.exeGet hashmaliciousAgentTeslaBrowse
                                                      SOA - HUAFENG (JAN INVOICE OVERDUE).exeGet hashmaliciousAgentTeslaBrowse
                                                        payment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                          purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                            SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                              T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      mail.iaa-airferight.comSecuriteInfo.com.Win32.PWSX-gen.11592.10317.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.PWSX-gen.22728.13847.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SOA - HUAFENG (JAN INVOICE OVERDUE).exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      payment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      api.ipify.orgue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      eR2hECroRD.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      K9PwdfoVnG.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      ue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      eR2hECroRD.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      nn1jUU3YSs.msiGet hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      sample.zip.zipGet hashmaliciousGlobeimposterBrowse
                                                                      • 172.67.74.152
                                                                      Acodihicozaja.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      24sBT3Cffz.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      12ss323fcw8gsd4bvd.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSimagine_Whatsapp_2025-03-12.img.exeGet hashmaliciousUnknownBrowse
                                                                      • 1.1.1.1
                                                                      PURCHASE ORDER N0259305-06SN.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.222.201
                                                                      QUOTATION 03664710859027.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      SHANXI Outward Remittance.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.48.1
                                                                      Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.32.1
                                                                      RFQ 306 & 307.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.48.1
                                                                      http://www.teubes.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                      • 188.114.96.3
                                                                      https://check.telavya8.icu/gkcxv.google?i=4876e1f6-ac44-408f-999b-2cd4a9b4a8df%20#%20''I%20am%20not%20a%20'robot'%20-%20%D0%B3e%D0%A1%D0%90%D0%A0%D0%A2%D0%A1%D0%9D%D0%90%20Verification%20ID:%202482''Get hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      https://stelladass.co.uk/ra3.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                      • 104.17.25.14
                                                                      ue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      ASLAGIDKOM-NETUASecuriteInfo.com.Win32.PWSX-gen.11592.10317.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.PWSX-gen.22728.13847.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SOA - HUAFENG (JAN INVOICE OVERDUE).exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      payment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      Wire Remittance Detail.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 46.175.148.58

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eQUOTATION 03664710859027.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      SHANXI Outward Remittance.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      SKMBT20783_ZM.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      K9PwdfoVnG.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      ALDAKHEEL OUD Order.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      Pendiente De Transferencia.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 104.26.12.205
                                                                      73ybGtnYXx.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                      • 104.26.12.205
                                                                      yeah.exeGet hashmaliciousXWormBrowse
                                                                      • 104.26.12.205
                                                                      Shipping Documents - SI078534.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.26.12.205

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Roaming\DateEnd.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\New requirement Orders.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1238016
                                                                      Entropy (8bit):7.920399740965059
                                                                      Encrypted:false
                                                                      SSDEEP:24576:cEdOKZXnURX0tazMeSjgcyK2EtLk1UDXfAK/XmC/sa:993AEszCjAfz17KvmWs
                                                                      MD5:F7BE7513DE4566C4C67E860E85C4D6AB
                                                                      SHA1:D522AC7D5009E66E3AADDC819D4124422E460EBF
                                                                      SHA-256:27BD5E4723CF6F83C2F4A5669ED07025C8C7925EE09B59861C6EC6009615E28D
                                                                      SHA-512:16B59E662F5462EE03541F02E26228A9443B6427128E1D0CA56CA5F5C76228322104BEFD40D68265AE81CE0D1D270F53A312FC5473AA53184632522AB6AE25D0
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 72%
                                                                      • Antivirus: Virustotal, Detection: 63%, Browse
                                                                      Reputation:low
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Do.g................................. ........@.. .......................@............`.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............=...........:..............................................*...(....*..0.......... ........8........E....,.......f...Y...8'......}.... ....~....{....9....& ....8......|......(...+ ....~....{....:....& ....8......|....(....*..(....}.... ....~....{....:e...& ....8Z....0..{....... ........8........E........,.......8....*..(.... ....~....{....:....& ....8.....(....o...... ....~....{....9....& ....8.....&~.......*...~....*..0..7.........(....}.......}.......}......|.

                                                                      C:\Users\user\AppData\Roaming\DateEnd.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\New requirement Orders.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\New requirement Orders.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):85
                                                                      Entropy (8bit):4.682838321911257
                                                                      Encrypted:false
                                                                      SSDEEP:3:FER/n0eFHHoN+EaKC5iFLiCHnn:FER/lFHIN7aZ5iFL/H
                                                                      MD5:AC797A31C08DDB350A16EBFC8BDB7ECF
                                                                      SHA1:6CFEF2F7C47345AF704A71A758D9D99A9A4A7E13
                                                                      SHA-256:6258030799483D1CA08C1D263A31A7233F9DE5F00F7ABDF5873EC5D32FA3F94C
                                                                      SHA-512:48EEE66A16329B878F957CC16DBC36BC73E4A3FC8A853FA000158DB95F6D62A6ACADFB6D354FC2F04FA5D67972EE1C2922922CDE93696DDEF96CBA2984D1A425
                                                                      Malicious:true
                                                                      Reputation:low
                                                                      Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\DateEnd.exe"""

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                      Download File
                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):4926
                                                                      Entropy (8bit):3.2446058450572135
                                                                      Encrypted:false
                                                                      SSDEEP:48:FaqdF7w8sd+AAHdKoqKFxcxkF28suaqdF7d+AAHdKoqKFxcxkFN:cEe+AAsoJjyk0Ed+AAsoJjykX
                                                                      MD5:957FE38914FDB441CF19B7FFDA2B17BB
                                                                      SHA1:8023B318791F198F697C85415299A77D5CE4C5B7
                                                                      SHA-256:585C3A624B7E688E1272EF28A5FB7FEDC6ECEBA35FF3A9B22F76D1616C691265
                                                                      SHA-512:3783F1591FDB56056CD7842A8913029E667D018544A1E6B01C2A1281FAD7A83070E564CF41FE677F0A26C686BE94ADA135337079F85F3BFA376987CE9CA4B174
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .0.8.:.3.6.:.3.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.920399740965059
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:New requirement Orders.exe
                                                                      File size:1'238'016 bytes
                                                                      MD5:f7be7513de4566c4c67e860e85c4d6ab
                                                                      SHA1:d522ac7d5009e66e3aaddc819d4124422e460ebf
                                                                      SHA256:27bd5e4723cf6f83c2f4a5669ed07025c8c7925ee09b59861c6ec6009615e28d
                                                                      SHA512:16b59e662f5462ee03541f02e26228a9443b6427128e1d0ca56ca5f5c76228322104befd40d68265ae81ce0d1d270f53a312fc5473aa53184632522ab6ae25d0
                                                                      SSDEEP:24576:cEdOKZXnURX0tazMeSjgcyK2EtLk1UDXfAK/XmC/sa:993AEszCjAfz17KvmWs
                                                                      TLSH:AC451203BB47C572C2891BBBC84A45108BB1D7839257E38BB6ED67A59403738EE543DB
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Do.g................................. ........@.. .......................@............`................................

                                                                      File Icon

                                                                      Icon Hash:90cececece8e8eb0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x52f9ce
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x67D16F44 [Wed Mar 12 11:25:56 2025 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x12f9800x4b.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x5b8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x12d9d40x12da002c96da7e7da30dcb039c2addbaf8cbc3False0.9371487127020307data7.924305190823011IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x1300000x5b80x600fd17edaa6bf0204895ff0bfc3ded6857False0.4212239583333333data4.13122791590702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x1320000xc0x200217ab85d39465cea396b987f84f894dbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_VERSION0x1300a00x32cdata0.4248768472906404
                                                                      RT_MANIFEST0x1303cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      Comments
                                                                      CompanyName
                                                                      FileDescriptionUayykxivqjs
                                                                      FileVersion1.0.0.0
                                                                      InternalNameUayykxivqjs.exe
                                                                      LegalCopyrightCopyright 2016
                                                                      LegalTrademarks
                                                                      OriginalFilenameUayykxivqjs.exe
                                                                      ProductNameUayykxivqjs
                                                                      ProductVersion1.0.0.0
                                                                      Assembly Version1.0.0.0

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 17, 2025 13:13:53.664793015 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:53.664836884 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:53.664923906 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:53.675508022 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:53.675530910 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.164197922 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.164278030 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:54.278126001 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:54.278158903 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.278541088 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.326114893 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:54.397691965 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:54.440319061 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.508460999 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.508524895 CET44349685104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:13:54.508574009 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:54.515283108 CET49685443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:13:55.669540882 CET4968825192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:13:56.654197931 CET4968825192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:13:58.669842005 CET4968825192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:02.685457945 CET4968825192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:07.285223961 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:07.285267115 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:07.285351992 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:07.288786888 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:07.288803101 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:07.752578020 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:07.752656937 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:07.754945040 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:07.754960060 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:07.755224943 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:07.794830084 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:08.320200920 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:08.364337921 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:08.425654888 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:08.425734043 CET44349689104.26.12.205192.168.2.6
                                                                      Mar 17, 2025 13:14:08.425798893 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:08.428801060 CET49689443192.168.2.6104.26.12.205
                                                                      Mar 17, 2025 13:14:09.091698885 CET4969125192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:10.092168093 CET4969125192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:12.091774940 CET4969125192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:16.091788054 CET4969125192.168.2.646.175.148.58
                                                                      Mar 17, 2025 13:14:24.107434034 CET4969125192.168.2.646.175.148.58

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 17, 2025 13:13:53.647025108 CET6152553192.168.2.61.1.1.1
                                                                      Mar 17, 2025 13:13:53.655073881 CET53615251.1.1.1192.168.2.6
                                                                      Mar 17, 2025 13:13:55.653719902 CET6542853192.168.2.61.1.1.1
                                                                      Mar 17, 2025 13:13:55.668972969 CET53654281.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Mar 17, 2025 13:13:53.647025108 CET192.168.2.61.1.1.10x17f2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Mar 17, 2025 13:13:55.653719902 CET192.168.2.61.1.1.10x782Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Mar 17, 2025 13:13:53.655073881 CET1.1.1.1192.168.2.60x17f2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Mar 17, 2025 13:13:53.655073881 CET1.1.1.1192.168.2.60x17f2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Mar 17, 2025 13:13:53.655073881 CET1.1.1.1192.168.2.60x17f2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Mar 17, 2025 13:13:55.668972969 CET1.1.1.1192.168.2.60x782No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.ipify.org

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649685104.26.12.2054437112C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-03-17 12:13:54 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2025-03-17 12:13:54 UTC424INHTTP/1.1 200 OK
                                                                      Date: Mon, 17 Mar 2025 12:13:54 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      cf-cache-status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 921c682f4f92433f-EWR
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1545&rtt_var=590&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2815&recv_bytes=769&delivery_rate=1838790&cwnd=179&unsent_bytes=0&cid=1c321afd68a9c779&ts=353&x=0"
                                                                      2025-03-17 12:13:54 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                      Data Ascii: 8.46.123.189


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.649689104.26.12.2054437392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-03-17 12:14:08 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2025-03-17 12:14:08 UTC424INHTTP/1.1 200 OK
                                                                      Date: Mon, 17 Mar 2025 12:14:08 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      cf-cache-status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 921c68865cd64268-EWR
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1581&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2815&recv_bytes=769&delivery_rate=1802469&cwnd=169&unsent_bytes=0&cid=b9b77e15e0468368&ts=677&x=0"
                                                                      2025-03-17 12:14:08 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                      Data Ascii: 8.46.123.189


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:08:13:51
                                                                      Start date:17/03/2025
                                                                      Path:C:\Users\user\Desktop\New requirement Orders.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\New requirement Orders.exe"
                                                                      Imagebase:0xd80000
                                                                      File size:1'238'016 bytes
                                                                      MD5 hash:F7BE7513DE4566C4C67E860E85C4D6AB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1255038620.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1260934868.0000000005E40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1255038620.0000000004623000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1233916159.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1255038620.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:08:13:52
                                                                      Start date:17/03/2025
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                      Imagebase:0x4f0000
                                                                      File size:42'064 bytes
                                                                      MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1377368007.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1373833255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1377368007.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1377368007.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:08:14:03
                                                                      Start date:17/03/2025
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DateEnd.vbs"
                                                                      Imagebase:0x7ff6af1e0000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:08:14:05
                                                                      Start date:17/03/2025
                                                                      Path:C:\Users\user\AppData\Roaming\DateEnd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\DateEnd.exe"
                                                                      Imagebase:0x970000
                                                                      File size:1'238'016 bytes
                                                                      MD5 hash:F7BE7513DE4566C4C67E860E85C4D6AB
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1405894268.000000000439C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1405894268.000000000427A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1376186902.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 72%, ReversingLabs
                                                                      • Detection: 63%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:08:14:06
                                                                      Start date:17/03/2025
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                      Imagebase:0xc90000
                                                                      File size:42'064 bytes
                                                                      MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2492055778.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2492055778.000000000315C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:12
                                                                      Start time:08:14:57
                                                                      Start date:17/03/2025
                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                      Imagebase:0x7ff6887b0000
                                                                      File size:468'120 bytes
                                                                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:08:14:57
                                                                      Start date:17/03/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68dae0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >