Edit tour

Windows Analysis Report
SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Overview

General Information

Sample name:	SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Analysis ID:	1640818
MD5:	7641ada9754cd20d4ea00fcff9d14b05
SHA1:	8c15e9b5137c69eab85e052abf5c67cc4cc6f9dd
SHA256:	6be1f66c2715c6e4e9e535375607880080dd5a110326e80418d224b129aa50e2
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA - HUAFENG (JAN INVOICE OVERDUE).exe (PID: 692 cmdline: "C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe" MD5: 7641ADA9754CD20D4EA00FCFF9D14B05)

InstallUtil.exe (PID: 7492 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 7844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ChannelData.exe (PID: 7892 cmdline: "C:\Users\user\AppData\Roaming\ChannelData.exe" MD5: 7641ADA9754CD20D4EA00FCFF9D14B05)

InstallUtil.exe (PID: 7988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.1526317646.000000000252C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1545536995.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1545536995.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1526317646.0000000002501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1526317646.0000000002501000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1296713688.0000000005F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.1522791312.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1522791312.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1545536995.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1545536995.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1289728685.0000000003E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1289728685.0000000003E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2429982790.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2429982790.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2429982790.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1280301174.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 692	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 692	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 692	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ChannelData.exe PID: 7892	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ChannelData.exe PID: 7892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ChannelData.exe PID: 7892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ChannelData.exe PID: 7892	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7988	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5f80000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.ChannelData.exe.3ce5570.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31741:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3185d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31939:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.InstallUtil.exe.540000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.InstallUtil.exe.540000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.InstallUtil.exe.540000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.ChannelData.exe.3ce5570.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.ChannelData.exe.3f91f30.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.ChannelData.exe.3f91f30.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.ChannelData.exe.3f91f30.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31741:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3185d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31939:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.ChannelData.exe.3f91f30.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.ChannelData.exe.3f91f30.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.ChannelData.exe.3f91f30.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5f80000.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , ProcessId: 7844, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7492, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs" , ProcessId: 7844, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ProcessId: 692, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.ChannelData.exe.3f91f30.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "classic@iaa-airferight.com", "Password": "BIGNAIRA2024"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ChannelData.exe

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Virustotal: Detection: 40%			Perma Link
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	ReversingLabs: Detection: 66%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49723 version: TLS 1.2

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1291500523.00000000059C0000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.000000000403D000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003F06000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003E64000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1291500523.00000000059C0000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.000000000403D000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003F06000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003E64000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 4x nop then jmp 05835720h		10_2_05835661
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 4x nop then jmp 05835720h		10_2_05835668

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: InstallUtil.exe, 00000007.00000002.1535545105.0000000004E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.me
Source: InstallUtil.exe, 00000007.00000002.1535545105.0000000004E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ChannelData.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: InstallUtil.exe, 00000007.00000002.1526317646.000000000252C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2429982790.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1280301174.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1526317646.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2429982790.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, ChannelData.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1522791312.0000000000542000.00000040.00000400.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1522791312.0000000000542000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1526317646.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2429982790.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000007.00000002.1526317646.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2429982790.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000007.00000002.1526317646.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2429982790.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003DF2000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1280301174.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp, ChannelData.exe, 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49723 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.InstallUtil.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ChannelData.exe.3f91f30.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ChannelData.exe.3f91f30.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05836F90 NtProtectVirtualMemory,	10_2_05836F90
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05839FB8 NtResumeThread,	10_2_05839FB8
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05839FB0 NtResumeThread,	10_2_05839FB0
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05836F68 NtProtectVirtualMemory,	10_2_05836F68
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0583A0A7 NtResumeThread,	10_2_0583A0A7

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_059C6E5B	0_2_059C6E5B
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_0163E048	0_2_0163E048
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_0163A160	0_2_0163A160
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_0163A151	0_2_0163A151
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_0163A6F0	0_2_0163A6F0
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_068CF888	0_2_068CF888
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_068CDFC8	0_2_068CDFC8
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_068CE548	0_2_068CE548
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_068B0006	0_2_068B0006
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Code function: 0_2_068B0040	0_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0237A4F8	7_2_0237A4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0237E5E0	7_2_0237E5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02374A90	7_2_02374A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0237A958	7_2_0237A958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0237DE18	7_2_0237DE18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02373E78	7_2_02373E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_023741C0	7_2_023741C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DC9170	7_2_05DC9170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DCBB10	7_2_05DCBB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD65D8	7_2_05DD65D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD55C0	7_2_05DD55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD7D68	7_2_05DD7D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DDC178	7_2_05DDC178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD2360	7_2_05DD2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DDB220	7_2_05DDB220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD5CE0	7_2_05DD5CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD7688	7_2_05DD7688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD0040	7_2_05DD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DDE3A0	7_2_05DDE3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD0007	7_2_05DD0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_05DD0037	7_2_05DD0037
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0110E048	10_2_0110E048
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0110A151	10_2_0110A151
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0110A160	10_2_0110A160
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0110A6F0	10_2_0110A6F0
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05838338	10_2_05838338
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05833B68	10_2_05833B68
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05838828	10_2_05838828
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05838328	10_2_05838328
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_05833B58	10_2_05833B58
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0675F888	10_2_0675F888
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0675DFC8	10_2_0675DFC8
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_06740040	10_2_06740040
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_06740007	10_2_06740007
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Code function: 10_2_0675E548	10_2_0675E548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C34A98	11_2_02C34A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C3AA1A	11_2_02C3AA1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C3E801	11_2_02C3E801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C33E80	11_2_02C33E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C341C8	11_2_02C341C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067AA39C	11_2_067AA39C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B65D8	11_2_067B65D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B55C0	11_2_067B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067BB213	11_2_067BB213
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B3078	11_2_067B3078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067BC178	11_2_067BC178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B7D68	11_2_067B7D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B7688	11_2_067B7688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B2350	11_2_067B2350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067BE3A0	11_2_067BE3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B0040	11_2_067B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B5CCB	11_2_067B5CCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067B0025	11_2_067B0025

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Binary or memory string: OriginalFilename vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1296916544.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1280301174.000000000323C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1279287295.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003F70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBlabh.dll" vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003F70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1291500523.00000000059C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1280301174.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000000.1160014207.0000000000B44000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJjgmwy.exeB vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.000000000403D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.000000000403D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJjgmwy.exeB vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename69f9de06-3db1-4f6f-8eb7-8ce21e91f1c8.exe4 vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1289728685.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, 00000000.00000002.1291845279.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBlabh.dll" vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Binary or memory string: OriginalFilenameJjgmwy.exeB vs SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.InstallUtil.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ChannelData.exe.3f91f30.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ChannelData.exe.3f91f30.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.3e75570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ChannelData.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, Yghbckh.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ChannelData.exe.0.dr, Yghbckh.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.408c170.1.raw.unpack, Yghbckh.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: ChannelData.exe.0.dr, Yghbckh.cs	Suspicious method names: .Yghbckh.FetchPayloadAsync
Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, Yghbckh.cs	Suspicious method names: .Yghbckh.FetchPayloadAsync
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.408c170.1.raw.unpack, Yghbckh.cs	Suspicious method names: .Yghbckh.FetchPayloadAsync

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe "C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe"
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelData.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ChannelData.exe "C:\Users\user\AppData\Roaming\ChannelData.exe"
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ChannelData.exe "C:\Users\user\AppData\Roaming\ChannelData.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe, Hkuah.cs	.Net Code: Xnrypaqpv System.AppDomain.Load(byte[])
Source: ChannelData.exe.0.dr, Hkuah.cs	.Net Code: Xnrypaqpv System.AppDomain.Load(byte[])
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.59c0000.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.408c170.1.raw.unpack, Hkuah.cs	.Net Code: Xnrypaqpv System.AppDomain.Load(byte[])
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.403d950.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5ff0000.10.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5ff0000.10.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5ff0000.10.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5ff0000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5ff0000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: Yara match	File source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5f80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ChannelData.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ChannelData.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA - HUAFENG (JAN INVOICE OVERDUE).exe.5f80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1296713688.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1545536995.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280301174.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA - HUAFENG (JAN INVOICE OVERDUE).exe PID: 692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelData.exe PID: 7892, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02370C6D push edi; retf	7_2_02370C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02370C45 push ebx; retf	7_2_02370C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C30C45 push ebx; retf	11_2_02C30C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_02C30C6D push edi; retf	11_2_02C30C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067AFB43 push es; ret	11_2_067AFB44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_067AFB3F push es; ret	11_2_067AFB40

Source: SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Static PE information: section name: .text entropy: 7.99849113902645
Source: ChannelData.exe.0.dr	Static PE information: section name: .text entropy: 7.99849113902645

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	File created: \soa - huafeng (jan invoice overdue).exe
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	File created: \soa - huafeng (jan invoice overdue).exe			Jump to behavior

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 22D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 22D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2246	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8448	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1399	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

Windows Analysis Report
SOA - HUAFENG (JAN INVOICE OVERDUE).exe

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe TID: 3580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe TID: 1340	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe TID: 1340	Thread sleep count: 154 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7656	Thread sleep count: 2246 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99873s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7656	Thread sleep count: 7591 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99536s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99354s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99236s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98660s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96857s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96463s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7652	Thread sleep time: -94078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe TID: 7928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe TID: 7936	Thread sleep count: 172 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8096	Thread sleep count: 8448 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8096	Thread sleep count: 1399 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -98064s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -96016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8092	Thread sleep time: -94360s >= -30000s	Jump to behavior

Source: InstallUtil.exe, 0000000B.00000002.2438010645.0000000006168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: ChannelData.exe, 0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: InstallUtil.exe, 00000007.00000002.1535545105.0000000004E44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: ChannelData.exe, 0000000A.00000002.1525149829.0000000002D57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 540000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Queries volume information: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA - HUAFENG (JAN INVOICE OVERDUE).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Queries volume information: C:\Users\user\AppData\Roaming\ChannelData.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
SOA - HUAFENG (JAN INVOICE OVERDUE).exe	41%	Virustotal		Browse
SOA - HUAFENG (JAN INVOICE OVERDUE).exe	67%	ReversingLabs	Win32.Packed.Generic

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	false		high
api.ipify.org	172.67.74.152	true	false		high