Loading ...

Play interactive tourEdit tour

Analysis Report CONFIRM PURCHASE ORDER_715567247690.EXE

Overview

General Information

Sample Name:CONFIRM PURCHASE ORDER_715567247690.EXE
MD5:004fc6d9b658d96079fef6128e11b988
SHA1:4127b2c1722d17f5fdaae1f93b35a618d7c012ef
SHA256:bdab1f372910abf4123d4d931e9ff32923b715015147a4c500ee5eb4a65e048e

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious values (likely registry only malware)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • CONFIRM PURCHASE ORDER_715567247690.EXE (PID: 4936 cmdline: 'C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXE' MD5: 004FC6D9B658D96079FEF6128E11B988)
    • InstallUtil.exe (PID: 2936 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • InstallUtil.exe (PID: 3852 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • wscript.exe (PID: 4888 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\562258\IyEWBl\IyEWBlXQs.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • IyEWB.exe (PID: 952 cmdline: 'C:\562258\IyEWBl\IyEWB.exe' MD5: 004FC6D9B658D96079FEF6128E11B988)
      • InstallUtil.exe (PID: 2424 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • wscript.exe (PID: 1168 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\562258\IyEWBl\IyEWBlXQs.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • IyEWB.exe (PID: 768 cmdline: 'C:\562258\IyEWBl\IyEWB.exe' MD5: 004FC6D9B658D96079FEF6128E11B988)
      • InstallUtil.exe (PID: 4796 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • InstallUtil.exe (PID: 2960 cmdline: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • netsh.exe (PID: 2616 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
CONFIRM PURCHASE ORDER_715567247690.EXEMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x98ee7:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x9886f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\562258\IyEWBl\IyEWB.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x98ee7:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x9886f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.660099177.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.617043369.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.950917944.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.625058090.0000000004ED0000.00000004.00000001.sdmpMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
        • 0x53547:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
        • 0x52ecf:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
        00000005.00000002.625583235.00000000053C2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.IyEWB.exe.4d10000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            5.2.IyEWB.exe.53c0000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.CONFIRM PURCHASE ORDER_715567247690.EXE.5d60000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.IyEWB.exe.4ed0000.3.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
                  • 0x50947:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
                  • 0x502cf:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
                  Click to see the 13 entries

                  Sigma Overview


                  System Summary:

                  barindex
                  Sigma detected: Capture Wi-Fi passwordShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 2960, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2616

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\562258\IyEWBl\IyEWB.exeVirustotal: Detection: 27%Perma Link
                  Source: C:\562258\IyEWBl\IyEWB.exeReversingLabs: Detection: 25%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEVirustotal: Detection: 27%Perma Link
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEReversingLabs: Detection: 25%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\562258\IyEWBl\IyEWB.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEJoe Sandbox ML: detected
                  Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 3.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS traffic detected: queries for: radiokerigma.com.br
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                  Source: InstallUtil.exe, 0000000A.00000002.955998274.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: http://radiokerigma.com.br
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: InstallUtil.exe, 0000000A.00000002.952928085.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: https://c0RxOvqNdkr90m9.org
                  Source: InstallUtil.exe, 0000000A.00000002.952928085.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: https://c0RxOvqNdkr90m9.orgPKg
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: https://radiokerigma.com.br
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: https://radiokerigma.com.br/inscricao/fonts/webpanel/inc/f7fd75df663d82.php
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: https://radiokerigma.com.br4
                  Source: InstallUtil.exe, 0000000A.00000002.953300677.0000000003050000.00000004.00000001.sdmpString found in binary or memory: https://radiokerigma.com.brD8
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Contains functionality to register a low level keyboard hookShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676A24C SetWindowsHookExW 0000000D,00000000,?,?10_2_0676A24C
                  Installs a global keyboard hookShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000002.558980398.00000000014D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_03071C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_03071C04
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_030700AD NtOpenSection,NtMapViewOfSection,0_2_030700AD
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_04DD00AD NtOpenSection,NtMapViewOfSection,5_2_04DD00AD
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_04DD1C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,5_2_04DD1C04
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 8_2_00E31C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,8_2_00E31C04
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 8_2_00E300AD NtOpenSection,NtMapViewOfSection,8_2_00E300AD
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_00DE5F160_2_00DE5F16
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_00DE31710_2_00DE3171
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_00DE52E60_2_00DE52E6
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014CEB900_2_014CEB90
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014CEF470_2_014CEF47
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014C58C80_2_014C58C8
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014C58B80_2_014C58B8
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014C0ACF0_2_014C0ACF
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_014C0AE00_2_014C0AE0
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_018672E00_2_018672E0
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_0186DA400_2_0186DA40
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_018600E10_2_018600E1
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_018600400_2_01860040
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_018603520_2_01860352
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_01864AB80_2_01864AB8
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_01864FD00_2_01864FD0
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_030416380_2_03041638
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_010E15603_2_010E1560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_010E04483_2_010E0448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_010E10603_2_010E1060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_010E15503_2_010E1550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_010E07903_2_010E0790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054015E03_2_054015E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054044C03_2_054044C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054094953_2_05409495
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054097283_2_05409728
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054051883_2_05405188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054011A83_2_054011A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054039E03_2_054039E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0540D9883_2_0540D988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054088C83_2_054088C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054015D03_2_054015D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054055B23_2_054055B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054097193_2_05409719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054011983_2_05401198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0540904E3_2_0540904E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054043D03_2_054043D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05408D233_2_05408D23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05408D973_2_05408D97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0540D9783_2_0540D978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_054088B93_2_054088B9
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_003931715_2_00393171
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_003952E65_2_003952E6
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_00395F165_2_00395F16
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026FEB905_2_026FEB90
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026FEF365_2_026FEF36
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F0AE05_2_026F0AE0
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F0ACF5_2_026F0ACF
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_027672CF5_2_027672CF
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_027685985_2_02768598
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_02764AB85_2_02764AB8
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_027603525_2_02760352
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_027600405_2_02760040
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_027600E15_2_027600E1
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_02764FD05_2_02764FD0
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_029115B85_2_029115B8
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F58C85_2_026F58C8
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F58C75_2_026F58C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_017B15606_2_017B1560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_017B10606_2_017B1060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_017B04486_2_017B0448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_017B15506_2_017B1550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_017B07906_2_017B0790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD15E06_2_05AD15E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD44C06_2_05AD44C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD97286_2_05AD9728
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD11A86_2_05AD11A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD51886_2_05AD5188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05ADD9886_2_05ADD988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD88C86_2_05AD88C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD55B16_2_05AD55B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD15DC6_2_05AD15DC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD44B06_2_05AD44B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD97196_2_05AD9719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD11986_2_05AD1198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD904E6_2_05AD904E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD8D976_2_05AD8D97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD8D236_2_05AD8D23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05ADD93E6_2_05ADD93E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05AD88B96_2_05AD88B9
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 8_2_001D31718_2_001D3171
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 8_2_001D52E68_2_001D52E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A15E010_2_056A15E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A44C010_2_056A44C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A972810_2_056A9728
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A11A810_2_056A11A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A518810_2_056A5188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056AD98810_2_056AD988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A88C810_2_056A88C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A15D010_2_056A15D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A55B210_2_056A55B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A44B010_2_056A44B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A971910_2_056A9719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A119810_2_056A1198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A904E10_2_056A904E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A8D2310_2_056A8D23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A8D9710_2_056A8D97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056AD94710_2_056AD947
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056A88B910_2_056A88B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F761810_2_065F7618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F379010_2_065F3790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F84B010_2_065F84B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F55A010_2_065F55A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FC28010_2_065FC280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F9EB810_2_065F9EB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F3FD010_2_065F3FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F6FE010_2_065F6FE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FDD6810_2_065FDD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F4AD810_2_065F4AD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F7B4810_2_065F7B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FBBB810_2_065FBBB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F09F010_2_065F09F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F760910_2_065F7609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F84A010_2_065F84A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F25A010_2_065F25A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FE27010_2_065FE270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FC27010_2_065FC270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FE26010_2_065FE260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F52D210_2_065F52D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F004010_2_065F0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F9EA810_2_065F9EA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F3FC110_2_065F3FC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F4ACA10_2_065F4ACA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F8B4810_2_065F8B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F8B3A10_2_065F8B3A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F7B3910_2_065F7B39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F4B3610_2_065F4B36
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FBBA810_2_065FBBA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FA93810_2_065FA938
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FA92810_2_065FA928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F39F810_2_065F39F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065F09E110_2_065F09E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676F6B010_2_0676F6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676773810_2_06767738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676520810_2_06765208
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676634010_2_06766340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676708810_2_06767088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06761C2010_2_06761C20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676772910_2_06767729
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676444F10_2_0676444F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676442C10_2_0676442C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676433010_2_06764330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676432110_2_06764321
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_067643EF10_2_067643EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_067643DD10_2_067643DD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0676707810_2_06767078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_067651FA10_2_067651FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06763D9610_2_06763D96
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06764A0410_2_06764A04
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_06763B2710_2_06763B27
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_067639D810_2_067639D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 065F1C48 appears 33 times
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: IyEWB.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000000.529772350.0000000000E78000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyxuiql.exe< vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000002.564570812.0000000005670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000002.562135747.0000000004201000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFGlKJStvThVlQnJxCKpkPIzlGboxcd.exe4 vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000002.561954404.0000000004190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebDicVHLCdmJf.exe4 vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, 00000000.00000002.558980398.00000000014D0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEBinary or memory string: OriginalFilenameyxuiql.exe< vs CONFIRM PURCHASE ORDER_715567247690.EXE
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXE, type: SAMPLEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 00000005.00000002.625058090.0000000004ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 00000000.00000002.565012915.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 00000008.00000002.666226599.0000000004D80000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: C:\562258\IyEWBl\IyEWB.exe, type: DROPPEDMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 5.2.IyEWB.exe.4ed0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 5.2.IyEWB.exe.4ed0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 8.2.IyEWB.exe.4d80000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 0.2.CONFIRM PURCHASE ORDER_715567247690.EXE.58a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 0.2.CONFIRM PURCHASE ORDER_715567247690.EXE.58a0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 0.0.CONFIRM PURCHASE ORDER_715567247690.EXE.de0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 8.2.IyEWB.exe.4d80000.4.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 5.2.IyEWB.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 8.0.IyEWB.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 0.2.CONFIRM PURCHASE ORDER_715567247690.EXE.de0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 8.2.IyEWB.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: 5.0.IyEWB.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: IyEWB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/5@2/1
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONFIRM PURCHASE ORDER_715567247690.EXE.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_01
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\562258\IyEWBl\IyEWBlXQs.vbs'
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEVirustotal: Detection: 27%
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEReversingLabs: Detection: 25%
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEFile read: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXE 'C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXE'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\562258\IyEWBl\IyEWBlXQs.vbs'
                  Source: unknownProcess created: C:\562258\IyEWBl\IyEWB.exe 'C:\562258\IyEWBl\IyEWB.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\562258\IyEWBl\IyEWBlXQs.vbs'
                  Source: unknownProcess created: C:\562258\IyEWBl\IyEWB.exe 'C:\562258\IyEWBl\IyEWB.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\562258\IyEWBl\IyEWB.exe 'C:\562258\IyEWBl\IyEWB.exe' Jump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\562258\IyEWBl\IyEWB.exe 'C:\562258\IyEWBl\IyEWB.exe' Jump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: CONFIRM PURCHASE ORDER_715567247690.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXECode function: 0_2_01864F78 pushad ; ret 0_2_01864FC1
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F5250 pushad ; retf 5_2_026F525A
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F50D5 push esp; retf 5_2_026F50D9
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F00B8 push ecx; retf 5_2_026F00C2
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F48B0 pushad ; retf 5_2_026F48DA
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F5110 push eax; retf 5_2_026F5119
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F4E4D pushad ; retf 5_2_026F4E52
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F4FA8 pushad ; retf 5_2_026F4FD2
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_026F4D28 pushad ; retf 5_2_026F4D42
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276DBE8 push edx; retf 5_2_0276E04E
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276BAF8 push 5500CB6Eh; retf 5_2_0276BC5E
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276E2AF push 565700CBh; retf 5_2_0276E2BE
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276CA83 push edx; retf 5_2_0276CA8E
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276B280 push 8B5600CBh; retf 5_2_0276B28E
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276E3A8 push FFFFFFCBh; retf 5_2_0276E3B6
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276C121 pushad ; retf 5_2_0276C12E
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276D6F9 push ecx; retf 5_2_0276D706
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_02764F78 pushad ; ret 5_2_02764FC1
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_0276D488 push ecx; retf 5_2_0276D6A6
                  Source: C:\562258\IyEWBl\IyEWB.exeCode function: 5_2_02911283 push 8B5500CBh; retf 5_2_0291128E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056AFEE3 push esp; iretd 10_2_056AFEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_056AFE88 push esp; iretd 10_2_056AFEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FFE33 push esi; ret 10_2_065FFE5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FCD32 push es; iretd 10_2_065FCD34
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_065FFA18 push ecx; ret 10_2_065FFA26
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.69368611427
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.69368611427

                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEFile created: C:\562258\IyEWBl\IyEWB.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IyEWB C:\562258\IyEWBl\IyEWBlXQs.vbsJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IyEWBJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IyEWBJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
                  Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CONFIRM PURCHASE ORDER_715567247690.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\562258\IyEWBl\IyEWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Window