Loading ...

Play interactive tourEdit tour

Analysis Report PO-ORDER-PURCHASE.exe

Overview

General Information

Sample Name:PO-ORDER-PURCHASE.exe
Analysis ID:299743
MD5:76763e570018bac75378aa22f21ce75b
SHA1:3f362ab8c6b26b0763fa2e44d859712c9c42c7c1
SHA256:92715192ee868e9d408f9449893688c609bb81fb522f9af00f9cf8caeaf098a2
Tags:exeMassLogger

Most interesting Screenshot:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO-ORDER-PURCHASE.exe (PID: 2508 cmdline: 'C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe' MD5: 76763E570018BAC75378AA22F21CE75B)
    • powershell.exe (PID: 3340 cmdline: 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe'' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • picturevex.exe (PID: 4520 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe' MD5: 76763E570018BAC75378AA22F21CE75B)
  • picturevex.exe (PID: 7024 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe' MD5: 76763E570018BAC75378AA22F21CE75B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.516544622.0000000005A80000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x1628:$op3: 00 04 03 69 91 1B 40
  • 0x1f17:$op3: 00 04 03 69 91 1B 40
0000000F.00000002.516544622.0000000005A80000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.516391717.00000000063E0000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x1628:$op3: 00 04 03 69 91 1B 40
    • 0x1f17:$op3: 00 04 03 69 91 1B 40
    00000001.00000002.516391717.00000000063E0000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      00000012.00000002.511843016.0000000003BC7000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x5a7cd:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5a72d:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x5b3c0:$op3: 00 04 03 69 91 1B 40
      • 0x5bcaf:$op3: 00 04 03 69 91 1B 40
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO-ORDER-PURCHASE.exe.63e0000.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        15.2.picturevex.exe.5a80000.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          18.2.picturevex.exe.55a0000.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            18.2.picturevex.exe.55a0000.3.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0xa35:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x995:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x1628:$op3: 00 04 03 69 91 1B 40
            • 0x1f17:$op3: 00 04 03 69 91 1B 40
            18.2.picturevex.exe.55a0000.3.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              Click to see the 4 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeReversingLabs: Detection: 10%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO-ORDER-PURCHASE.exeReversingLabs: Detection: 10%

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 54.227.255.202 54.227.255.202
              Source: Joe Sandbox ViewIP Address: 54.227.255.202 54.227.255.202
              Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
              Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.508246672.00000000034A1000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.508461284.0000000002D71000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.506893480.0000000002961000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: 205.12.2.0.in-addr.arpa
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509245807.0000000003593000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507627122.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509078445.0000000003568000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507627122.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509078445.0000000003568000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507627122.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/P
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509078445.0000000003568000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507627122.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/p
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.508246672.00000000034A1000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.508461284.0000000002D71000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.506893480.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
              Source: picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8
              Source: picturevex.exe, 00000012.00000002.507654605.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify86.
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509078445.0000000003568000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8n
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.509245807.0000000003593000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509502978.0000000002E5F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507685359.0000000002A4E000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.508246672.00000000034A1000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.509430941.0000000002E4F000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.507627122.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.508246672.00000000034A1000.00000004.00000001.sdmp, picturevex.exe, 0000000F.00000002.508461284.0000000002D71000.00000004.00000001.sdmp, picturevex.exe, 00000012.00000002.506893480.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000F.00000002.516544622.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000001.00000002.516391717.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000012.00000002.511843016.0000000003BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000001.00000002.512348982.0000000004709000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000012.00000002.514034275.00000000055A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000F.00000002.512503590.0000000003FD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 18.2.picturevex.exe.55a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 1.2.PO-ORDER-PURCHASE.exe.63e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 15.2.picturevex.exe.5a80000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO-ORDER-PURCHASE.exe
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B26D101_2_01B26D10
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B269E81_2_01B269E8
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B269C11_2_01B269C1
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B21A901_2_01B21A90
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B21A601_2_01B21A60
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_067509D81_2_067509D8
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_067509C81_2_067509C8
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_0675D36C1_2_0675D36C
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E686015_2_012E6860
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E68D015_2_012E68D0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1A8215_2_012E1A82
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1A9015_2_012E1A90
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1D0815_2_012E1D08
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1D6815_2_012E1D68
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1D4715_2_012E1D47
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1DAA15_2_012E1DAA
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E65A815_2_012E65A8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1D8515_2_012E1D85
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E659715_2_012E6597
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1DE915_2_012E1DE9
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1DD115_2_012E1DD1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E471B15_2_012E471B
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E1E1215_2_012E1E12
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_06EA6C6215_2_06EA6C62
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA686018_2_00EA6860
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA68D018_2_00EA68D0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA1A8F18_2_00EA1A8F
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA1A9018_2_00EA1A90
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA65A818_2_00EA65A8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_069F82B118_2_069F82B1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A8740818_2_06A87408
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A89C3018_2_06A89C30
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A80AD018_2_06A80AD0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A8A72018_2_06A8A720
              Source: PO-ORDER-PURCHASE.exeStatic PE information: invalid certificate
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: picturevex.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: picturevex.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: picturevex.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO-ORDER-PURCHASE.exeBinary or memory string: OriginalFilename vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.502402241.000000000100C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_MassLoggerBin.exeT vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.518111486.00000000073B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.511654056.00000000044A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKnqfsxbgsbwnc.dll4 vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.512348982.0000000004709000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.515343810.00000000060F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exe, 00000001.00000002.518302502.0000000007519000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO-ORDER-PURCHASE.exe
              Source: PO-ORDER-PURCHASE.exeBinary or memory string: OriginalFilenameLime_MassLoggerBin.exeT vs PO-ORDER-PURCHASE.exe
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeSection loaded: amsidll.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeSection loaded: amsidll.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeSection loaded: amsidll.dllJump to behavior
              Source: 0000000F.00000002.516544622.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.516391717.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000012.00000002.511843016.0000000003BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.512348982.0000000004709000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000012.00000002.514034275.00000000055A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000F.00000002.512503590.0000000003FD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 18.2.picturevex.exe.55a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.PO-ORDER-PURCHASE.exe.63e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.2.picturevex.exe.5a80000.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@9/2
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevexJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeMutant created: \Sessions\1\BaseNamedObjects\dixgnrfsfle
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_01
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxodm5r4.u1i.ps1Jump to behavior
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: PO-ORDER-PURCHASE.exeReversingLabs: Detection: 10%
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile read: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe 'C:\Users\user\Desktop\PO-ORDER-PURCHASE.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe''
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe'
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe''Jump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: PO-ORDER-PURCHASE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: PO-ORDER-PURCHASE.exeStatic file information: File size 2411128 > 1048576
              Source: PO-ORDER-PURCHASE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x20d600
              Source: PO-ORDER-PURCHASE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: Process Memory Space: picturevex.exe PID: 4520, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: picturevex.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-ORDER-PURCHASE.exe PID: 2508, type: MEMORY
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_00F75440 push ss; ret 1_2_00F75441
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_01B23AD5 push cs; iretd 1_2_01B23ADC
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_067593B0 push dword ptr [edi-742F749Bh]; iretd 1_2_067593B7
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeCode function: 1_2_06765E05 push 8BFFFFF5h; retf 1_2_06765E16
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_00755440 push ss; ret 15_2_00755441
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_012E3AD5 push cs; iretd 15_2_012E3ADC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_05E25E0B push 8BFFFFF5h; retf 15_2_05E25E16
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_06EA4EAF push es; ret 15_2_06EA4EB0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_06EA6C22 push esp; ret 15_2_06EA6C23
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_06EA6DD4 push esp; ret 15_2_06EA6DD5
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 15_2_06EA8B76 push esp; ret 15_2_06EA8B84
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_002B5440 push ss; ret 18_2_002B5441
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_00EA3AD5 push cs; iretd 18_2_00EA3ADC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_05985E0B push 8BFFFFF5h; retf 18_2_05985E16
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_069F8232 push esp; ret 18_2_069F8233
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_069F83E4 push esp; ret 18_2_069F83E5
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_069FA186 push esp; ret 18_2_069FA194
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A8E51B push ecx; ret 18_2_06A8E525
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A85143 push esp; ret 18_2_06A85149
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeCode function: 18_2_06A83B79 push es; iretd 18_2_06A83B80
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeJump to dropped file
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevexJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run picturevexJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run picturevexJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO-ORDER-PURCHASE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\picturevex\picturevex.exeProcess information set: NOOPENFILEERRORBOX