Loading ...

Play interactive tourEdit tour

Analysis Report iEhBDrw6oW.exe

Overview

General Information

Sample Name:iEhBDrw6oW.exe
MD5:bd2aeaab8f491a77f7c7ce59b027cf2c
SHA1:2a790244357f24b6145a43d35a3644728250e2dc
SHA256:5b37cc85fd190a6b4726ea57f2588b5a74acc2c51e2917363c226b73ac79118f

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains potential unpacker
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • iEhBDrw6oW.exe (PID: 4872 cmdline: 'C:\Users\user\Desktop\iEhBDrw6oW.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • iEhBDrw6oW.exe (PID: 2764 cmdline: C:\Users\user\Desktop\iEhBDrw6oW.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • iEhBDrw6oW.exe (PID: 5012 cmdline: C:\Users\user\Desktop\iEhBDrw6oW.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • iEhBDrw6oW.exe (PID: 3760 cmdline: C:\Users\user\Desktop\iEhBDrw6oW.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
      • netsh.exe (PID: 6080 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • appdata.exe (PID: 3160 cmdline: 'C:\Users\user\appdata.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • appdata.exe (PID: 5364 cmdline: C:\Users\user\appdata.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
      • netsh.exe (PID: 4804 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • appdata.exe (PID: 6076 cmdline: 'C:\Users\user\appdata.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • appdata.exe (PID: 6044 cmdline: C:\Users\user\appdata.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
      • netsh.exe (PID: 5520 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Mv3XZrglzid4", "URL: ": "https://bQhrnZX76uilMKih6M.com", "To: ": "", "ByHost: ": "twire.icu:5878", "Password: ": "fSeGE1XnG7", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1509757669.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.1509711592.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.1509756370.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.1148720340.0000000002512000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1099706659.0000000003B74000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.iEhBDrw6oW.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.appdata.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.appdata.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview


                  System Summary:

                  barindex
                  Sigma detected: Capture Wi-Fi passwordShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\Desktop\iEhBDrw6oW.exe, ParentImage: C:\Users\user\Desktop\iEhBDrw6oW.exe, ParentProcessId: 3760, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6080

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: iEhBDrw6oW.exe.3760.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "Mv3XZrglzid4", "URL: ": "https://bQhrnZX76uilMKih6M.com", "To: ": "", "ByHost: ": "twire.icu:5878", "Password: ": "fSeGE1XnG7", "From: ": ""}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\appdata.exeVirustotal: Detection: 75%Perma Link
                  Source: C:\Users\user\appdata.exeMetadefender: Detection: 18%Perma Link
                  Source: C:\Users\user\appdata.exeReversingLabs: Detection: 83%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: iEhBDrw6oW.exeVirustotal: Detection: 75%Perma Link
                  Source: iEhBDrw6oW.exeMetadefender: Detection: 18%Perma Link
                  Source: iEhBDrw6oW.exeReversingLabs: Detection: 83%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\appdata.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: iEhBDrw6oW.exeJoe Sandbox ML: detected
                  Source: 4.2.iEhBDrw6oW.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 8.2.appdata.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.2.appdata.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4x nop then inc dword ptr [ebp-14h]0_2_02839B60
                  Source: C:\Users\user\appdata.exeCode function: 4x nop then inc dword ptr [ebp-14h]5_2_00A99B60
                  Source: C:\Users\user\appdata.exeCode function: 4x nop then inc dword ptr [ebp-14h]5_2_00A99C52

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49945 -> 198.54.120.244:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49950 -> 198.54.120.244:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49951 -> 198.54.120.244:587
                  Source: global trafficTCP traffic: 192.168.2.6:49945 -> 198.54.120.244:587
                  Source: Joe Sandbox ViewASN Name: unknown unknown
                  Source: global trafficTCP traffic: 192.168.2.6:49945 -> 198.54.120.244:587
                  Source: appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
                  Source: unknownDNS traffic detected: queries for: twire.icu
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514457879.0000000002F96000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1514380812.000000000304C000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1514360187.0000000002CBB000.00000004.00000001.sdmpString found in binary or memory: http://twire.icu
                  Source: appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: https://bQhrnZX76uilMKih6M.com
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1514012890.0000000002E9A000.00000004.00000001.sdmp, appdata.exe, 00000006.00000002.1513946318.0000000002F50000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.1513789972.0000000002BBF000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: appdata.exe, appdata.exe, 00000006.00000000.1145967368.0000000000AF2000.00000002.00020000.sdmp, appdata.exe, 00000007.00000000.1156636738.0000000000652000.00000002.00020000.sdmp, appdata.exe, 00000008.00000000.1170160421.00000000007E2000.00000002.00020000.sdmp, iEhBDrw6oW.exeString found in binary or memory: https://www.pelock.com/api/aztec-decoder/v1

                  System Summary:

                  barindex
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028360080_2_02836008
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028381C80_2_028381C8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_02836B720_2_02836B72
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028388380_2_02838838
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028393E00_2_028393E0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_02837B800_2_02837B80
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028360070_2_02836007
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_028381B80_2_028381B8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_0283882A0_2_0283882A
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_0283D3300_2_0283D330
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_0283D3400_2_0283D340
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_0283BAD00_2_0283BAD0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_0283BAE00_2_0283BAE0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A09504_2_013A0950
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A71C04_2_013A71C0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A20584_2_013A2058
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A4DD74_2_013A4DD7
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A77F84_2_013A77F8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A396D4_2_013A396D
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A319A4_2_013A319A
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A403D4_2_013A403D
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A30864_2_013A3086
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3D254_2_013A3D25
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3D6D4_2_013A3D6D
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3DB54_2_013A3DB5
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3DFD4_2_013A3DFD
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A20584_2_013A2058
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3CEE4_2_013A3CEE
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3F1D4_2_013A3F1D
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3F654_2_013A3F65
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A2FB54_2_013A2FB5
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3FAD4_2_013A3FAD
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3FF54_2_013A3FF5
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3E454_2_013A3E45
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3E8D4_2_013A3E8D
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A2EE44_2_013A2EE4
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3ED54_2_013A3ED5
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055094104_2_05509410
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_0550F7684_2_0550F768
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055007E84_2_055007E8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055030604_2_05503060
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05500C304_2_05500C30
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05508E754_2_05508E75
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055048084_2_05504808
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05503B404_2_05503B40
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_0550FAB04_2_0550FAB0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055094004_2_05509400
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055007D84_2_055007D8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055086784_2_05508678
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055086EC4_2_055086EC
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_055082384_2_05508238
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05504C304_2_05504C30
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05503A504_2_05503A50
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05508A034_2_05508A03
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A0E7084_2_05A0E708
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A07DB04_2_05A07DB0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A081F04_2_05A081F0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A07DC04_2_05A07DC0
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A0A1004_2_05A0A100
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A089064_2_05A08906
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A0A0F14_2_05A0A0F1
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A06BA94_2_05A06BA9
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A06BB84_2_05A06BB8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A0F7E84_2_05A0F7E8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A04B174_2_05A04B17
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A0FEB84_2_05A0FEB8
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A04A8A4_2_05A04A8A
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A04A984_2_05A04A98
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A082004_2_05A08200
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A960085_2_00A96008
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A981C85_2_00A981C8
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A988385_2_00A98838
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A96B725_2_00A96B72
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A993E05_2_00A993E0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A97B805_2_00A97B80
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A981BA5_2_00A981BA
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A9882A5_2_00A9882A
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A9D3305_2_00A9D330
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A9D3405_2_00A9D340
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A9BAE05_2_00A9BAE0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A9BAD05_2_00A9BAD0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00A95FF95_2_00A95FF9
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB16E85_2_04CB16E8
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB0E185_2_04CB0E18
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB1F605_2_04CB1F60
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB55695_2_04CB5569
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB55785_2_04CB5578
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB57C15_2_04CB57C1
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB8AC05_2_04CB8AC0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB0AD05_2_04CB0AD0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014309506_2_01430950
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014371C06_2_014371C0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014320586_2_01432058
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01434DD76_2_01434DD7
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01436CA06_2_01436CA0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014377F86_2_014377F8
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0143396D6_2_0143396D
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0143319A6_2_0143319A
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0143403D6_2_0143403D
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014330866_2_01433086
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0143F8986_2_0143F898
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0143CBD06_2_0143CBD0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433D6D6_2_01433D6D
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433D256_2_01433D25
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433DFD6_2_01433DFD
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433DB56_2_01433DB5
                  Source: C:\Users\user\appdata.exeCode function: 6_2_014320586_2_01432058
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433CEE6_2_01433CEE
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433F656_2_01433F65
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433F1D6_2_01433F1D
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433FF56_2_01433FF5
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433FAD6_2_01433FAD
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01432FB56_2_01432FB5
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433E456_2_01433E45
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433ED56_2_01433ED5
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01432EE46_2_01432EE4
                  Source: C:\Users\user\appdata.exeCode function: 6_2_01433E8D6_2_01433E8D
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056294106_2_05629410
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0562F7686_2_0562F768
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056207E86_2_056207E8
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056230606_2_05623060
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05620C306_2_05620C30
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056248086_2_05624808
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05623B406_2_05623B40
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0562FAB06_2_0562FAB0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0562C5AF6_2_0562C5AF
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056294006_2_05629400
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056207D86_2_056207D8
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056286786_2_05628678
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056286EC6_2_056286EC
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0562C6B06_2_0562C6B0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_056282386_2_05628238
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05620C216_2_05620C21
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05624C306_2_05624C30
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05628E756_2_05628E75
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05628A036_2_05628A03
                  Source: C:\Users\user\appdata.exeCode function: 6_2_05623ADF6_2_05623ADF
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B77B06_2_062B77B0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B04C06_2_062B04C0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BA5606_2_062BA560
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BC5F06_2_062BC5F0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B82286_2_062B8228
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B42086_2_062B4208
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B4A986_2_062B4A98
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BEB686_2_062BEB68
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B1B906_2_062B1B90
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B93906_2_062B9390
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B09086_2_062B0908
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B86686_2_062B8668
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B86586_2_062B8658
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B97356_2_062B9735
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BC7766_2_062BC776
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B57F36_2_062B57F3
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B57C66_2_062B57C6
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B6C8C6_2_062B6C8C
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B8D6E6_2_062B8D6E
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BA54F6_2_062BA54F
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B82186_2_062B8218
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B4A8A6_2_062B4A8A
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B4B176_2_062B4B17
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062BEB666_2_062BEB66
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B93806_2_062B9380
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B70206_2_062B7020
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B60006_2_062B6000
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B70106_2_062B7010
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B08F96_2_062B08F9
                  Source: C:\Users\user\appdata.exeCode function: 6_2_062B41F86_2_062B41F8
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0644CFA06_2_0644CFA0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_06446C446_2_06446C44
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0644A8806_2_0644A880
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0644BD686_2_0644BD68
                  Source: C:\Users\user\appdata.exeCode function: 6_2_06443BA06_2_06443BA0
                  Source: C:\Users\user\appdata.exeCode function: 6_2_064400406_2_06440040
                  Source: C:\Users\user\appdata.exeCode function: 6_2_064400066_2_06440006
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0644C4006_2_0644C400
                  Source: C:\Users\user\appdata.exeCode function: 6_2_0644B0086_2_0644B008
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\appdata.exe 5B37CC85FD190A6B4726EA57F2588B5A74ACC2C51E2917363C226B73AC79118F
                  Source: iEhBDrw6oW.exeBinary or memory string: OriginalFilename vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1098733442.0000000002CD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1098733442.0000000002CD6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRcamjXoBSptTgrUZcBnJIX.exe4 vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1098793703.0000000003960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1098043766.0000000002B1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll. vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000000.1081109561.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1097476637.0000000002960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000000.00000002.1097512687.0000000002972000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLOL.dllH vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exeBinary or memory string: OriginalFilename vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000002.00000000.1093507226.0000000000382000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exeBinary or memory string: OriginalFilename vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000003.00000000.1094638251.0000000000392000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exeBinary or memory string: OriginalFilename vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1519314617.0000000006490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1519093255.0000000006320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1509997897.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRcamjXoBSptTgrUZcBnJIX.exe4 vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000000.1095388210.00000000009D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1519145831.0000000006330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1517450591.0000000005470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exe, 00000004.00000002.1510387508.0000000000BC7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exeBinary or memory string: OriginalFilenameklash.exe, vs iEhBDrw6oW.exe
                  Source: iEhBDrw6oW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: appdata.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: iEhBDrw6oW.exe, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: iEhBDrw6oW.exe, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: iEhBDrw6oW.exe, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.iEhBDrw6oW.exe.6e0000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/4@3/1
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile created: C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
                  Source: iEhBDrw6oW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: iEhBDrw6oW.exeVirustotal: Detection: 75%
                  Source: iEhBDrw6oW.exeMetadefender: Detection: 18%
                  Source: iEhBDrw6oW.exeReversingLabs: Detection: 83%
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile read: C:\Users\user\Desktop\iEhBDrw6oW.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe 'C:\Users\user\Desktop\iEhBDrw6oW.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exe
                  Source: unknownProcess created: C:\Users\user\appdata.exe 'C:\Users\user\appdata.exe'
                  Source: unknownProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exe
                  Source: unknownProcess created: C:\Users\user\appdata.exe 'C:\Users\user\appdata.exe'
                  Source: unknownProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exeJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exeJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess created: C:\Users\user\Desktop\iEhBDrw6oW.exe C:\Users\user\Desktop\iEhBDrw6oW.exeJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: iEhBDrw6oW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: iEhBDrw6oW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: Unhook.pdb source: iEhBDrw6oW.exe, 00000000.00000002.1098043766.0000000002B1C000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1149549532.00000000026BD000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1173241352.0000000002ADD000.00000004.00000001.sdmp
                  Source: Binary string: 26.pdb source: iEhBDrw6oW.exe, 00000000.00000002.1098733442.0000000002CD6000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1149549532.00000000026BD000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1173241352.0000000002ADD000.00000004.00000001.sdmp
                  Source: Binary string: LOL.pdb source: iEhBDrw6oW.exe, 00000000.00000002.1097512687.0000000002972000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1153821173.0000000004B00000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1172352116.0000000002932000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdbP-j- \-_CorDllMainmscoree.dll source: iEhBDrw6oW.exe, 00000000.00000002.1097476637.0000000002960000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1148681674.0000000002500000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1172306858.0000000002920000.00000004.00000001.sdmp
                  Source: Binary string: 26.pdbx source: iEhBDrw6oW.exe, 00000000.00000002.1098733442.0000000002CD6000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1149549532.00000000026BD000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1173241352.0000000002ADD000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb source: iEhBDrw6oW.exe, 00000000.00000002.1097476637.0000000002960000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.1148681674.0000000002500000.00000004.00000001.sdmp, appdata.exe, 00000007.00000002.1172306858.0000000002920000.00000004.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: iEhBDrw6oW.exe, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: appdata.exe.0.dr, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.iEhBDrw6oW.exe.6e0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.iEhBDrw6oW.exe.6e0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 2.2.iEhBDrw6oW.exe.380000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 2.0.iEhBDrw6oW.exe.380000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 3.2.iEhBDrw6oW.exe.390000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 3.0.iEhBDrw6oW.exe.390000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 4.2.iEhBDrw6oW.exe.9d0000.1.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 4.0.iEhBDrw6oW.exe.9d0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.appdata.exe.1d0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.2.appdata.exe.1d0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 6.0.appdata.exe.af0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 6.2.appdata.exe.af0000.1.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 7.0.appdata.exe.650000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 7.2.appdata.exe.650000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 8.0.appdata.exe.7e0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_006E6069 push 7D07029Dh; retf 0000h0_2_006E606E
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 0_2_006E7515 push esi; ret 0_2_006E7525
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 2_2_00386069 push 7D07029Dh; retf 0000h2_2_0038606E
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 2_2_00387515 push esi; ret 2_2_00387525
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 3_2_00396069 push 7D07029Dh; retf 0000h3_2_0039606E
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 3_2_00397515 push esi; ret 3_2_00397525
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_009D7515 push esi; ret 4_2_009D7525
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_009D6069 push 7D07029Dh; retf 0000h4_2_009D606E
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013ACADB pushad ; retf 4_2_013ACADE
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A4DC5 push ebx; retf 001Dh4_2_013A4DC6
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_013A3C87 pushfd ; iretd 4_2_013A3C91
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeCode function: 4_2_05A005BF push eax; retf 4_2_05A005D6
                  Source: C:\Users\user\appdata.exeCode function: 5_2_001D7515 push esi; ret 5_2_001D7525
                  Source: C:\Users\user\appdata.exeCode function: 5_2_001D6069 push 7D07029Dh; retf 0000h5_2_001D606E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB54C3 push eax; retf 5_2_04CB54C6
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB54E7 push ecx; retf 5_2_04CB54EA
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB548B push eax; retf 5_2_04CB548E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB549B push ecx; retf 5_2_04CB549E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB540B push ecx; retf 5_2_04CB540E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB5413 push ecx; retf 5_2_04CB5416
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB956D push ds; retf 5_2_04CB9573
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB53C3 push eax; retf 5_2_04CB53C6
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB53DB push eax; retf 5_2_04CB53DE
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB53D3 push eax; retf 5_2_04CB53D6
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB5393 push ecx; retf 5_2_04CB5396
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB536B push ebx; retf 5_2_04CB536E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB5368 push ebx; retf 5_2_04CB536A
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB537B push edx; retf 5_2_04CB537E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB537F push ebx; retf 5_2_04CB5382
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB5373 push ebx; retf 5_2_04CB5376
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04CB9CEE pushfd ; ret 5_2_04CB9CF5
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.80940184151
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.80940184151

                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile created: C:\Users\user\appdata.exeJump to dropped file
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile created: C:\Users\user\appdata.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Drops PE files to the user root directoryShow sources
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeFile created: C:\Users\user\appdata.exeJump to dropped file
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run appdataJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run appdataJump to behavior

                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\iEhBDrw6oW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\u