Loading ...

Play interactive tourEdit tour

Analysis Report C6RET8T1Wi.exe

Overview

General Information

Sample Name:C6RET8T1Wi.exe
Analysis ID:383833
MD5:133b4a863e9a9c74b7320f54abf199d7
SHA1:d4db04a031b65254b4194bb2f1ca81a487a7fe50
SHA256:db6863fdde8111c668522696e503145c0f988ad14c248fbba9ecd4a23de83613
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • C6RET8T1Wi.exe (PID: 6460 cmdline: 'C:\Users\user\Desktop\C6RET8T1Wi.exe' MD5: 133B4A863E9A9C74B7320F54ABF199D7)
    • schtasks.exe (PID: 6860 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • C6RET8T1Wi.exe (PID: 6968 cmdline: C:\Users\user\Desktop\C6RET8T1Wi.exe MD5: 133B4A863E9A9C74B7320F54ABF199D7)
    • C6RET8T1Wi.exe (PID: 7028 cmdline: C:\Users\user\Desktop\C6RET8T1Wi.exe MD5: 133B4A863E9A9C74B7320F54ABF199D7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.C6RET8T1Wi.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.C6RET8T1Wi.exe.3fe82e0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.C6RET8T1Wi.exe.3fe82e0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\C6RET8T1Wi.exe' , ParentImage: C:\Users\user\Desktop\C6RET8T1Wi.exe, ParentProcessId: 6460, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp', ProcessId: 6860

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeReversingLabs: Detection: 37%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: C6RET8T1Wi.exeVirustotal: Detection: 41%Perma Link
                  Source: C6RET8T1Wi.exeReversingLabs: Detection: 37%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: C6RET8T1Wi.exeJoe Sandbox ML: detected
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: C6RET8T1Wi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C6RET8T1Wi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E29838
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E298EC
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E29827
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E2A9E9
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04E2A9F8
                  Source: global trafficTCP traffic: 192.168.2.5:49724 -> 77.88.21.158:587
                  Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                  Source: global trafficTCP traffic: 192.168.2.5:49724 -> 77.88.21.158:587
                  Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://NmvONo.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.535134278.000000000354E000.00000004.00000001.sdmpString found in binary or memory: http://O4Irimjy3mfmBZ0.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291795607.0000000002DB1000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291953862.0000000002E13000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.534943909.0000000003520000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.271468846.0000000005EB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: C6RET8T1Wi.exe, 00000001.00000003.271921494.0000000005EBD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersuJ
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comj
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrz
                  Source: C6RET8T1Wi.exe, 00000001.00000002.298526461.0000000005EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt)
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265008386.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: C6RET8T1Wi.exe, 00000001.00000003.267169299.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnGK1
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNK&
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266803258.0000000005EED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266823416.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verdx
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rsT
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/alny
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ico
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: C6RET8T1Wi.exe, 00000001.00000003.268941436.0000000005EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comS
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comsed~
                  Source: C6RET8T1Wi.exe, 00000001.00000003.264798854.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comw
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: C6RET8T1Wi.exe, 00000001.00000003.266153350.0000000005EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krC
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: C6RET8T1Wi.exe, 00000001.00000003.265303167.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: C6RET8T1Wi.exe, 00000001.00000002.299365680.00000000070C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.535007261.000000000352A000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                  Source: C6RET8T1Wi.exe, 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmp, C6RET8T1Wi.exe, 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.532839988.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9BB50ABBu002d997Bu002d49D4u002d96BAu002dB4F190B3376Fu007d/u0036183AC38u002d4AD0u002d4B11u002d886Du002d06E3B37F3CC0.csLarge array initialization: .cctor: array initializer size 11951
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014FD4F01_2_014FD4F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014F99D81_2_014F99D8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014FDB211_2_014FDB21
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_014F7FC11_2_014F7FC1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E277F61_2_04E277F6
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E268C81_2_04E268C8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E208901_2_04E20890
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2A0381_2_04E2A038
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E220191_2_04E22019
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E262B01_2_04E262B0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E25BD01_2_04E25BD0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E21B181_2_04E21B18
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20CF91_2_04E20CF9
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E235F01_2_04E235F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E235DB1_2_04E235DB
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20D081_2_04E20D08
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E276901_2_04E27690
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E22F801_2_04E22F80
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E22F731_2_04E22F73
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278E61_2_04E278E6
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278D71_2_04E278D7
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E268B81_2_04E268B8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E278891_2_04E27889
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E208481_2_04E20848
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E230221_2_04E23022
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2790D1_2_04E2790D
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E272F31_2_04E272F3
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E262A01_2_04E262A0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E25BC31_2_04E25BC3
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E20BD11_2_04E20BD1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_054844BC1_2_054844BC
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163616813_2_01636168
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163B57013_2_0163B570
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163A1D013_2_0163A1D0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_01633DA013_2_01633DA0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163282013_2_01632820
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163860813_2_01638608
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_01635D9813_2_01635D98
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B516813_2_016B5168
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5D4813_2_016B5D48
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B19A813_2_016B19A8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B945013_2_016B9450
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B90CF13_2_016B90CF
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BCA1013_2_016BCA10
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B7AE813_2_016B7AE8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B5D3413_2_016B5D34
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B29F013_2_016B29F0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BF0B813_2_016BF0B8
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016BB3E013_2_016BB3E0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_030546A013_2_030546A0
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305469013_2_03054690
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305DA0013_2_0305DA00
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_00CB6B6713_2_00CB6B67
                  Source: C6RET8T1Wi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: ePVIisXwKSPaua.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291795607.0000000002DB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.293757491.0000000003DBC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.294530199.0000000003F46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.289947497.00000000009E6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.301815062.000000000DA80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.302225029.000000000DB70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 00000001.00000002.302225029.000000000DB70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000A.00000002.287952335.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000000.288793485.0000000000D96000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.528245994.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.530112128.0000000001138000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.531412296.000000000140A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.530292093.00000000011D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exe, 0000000D.00000002.531708358.0000000001640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exeBinary or memory string: OriginalFilenameTypeUnion.exe< vs C6RET8T1Wi.exe
                  Source: C6RET8T1Wi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C6RET8T1Wi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: ePVIisXwKSPaua.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 13.2.C6RET8T1Wi.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@2/1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8430.tmpJump to behavior
                  Source: C6RET8T1Wi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: C6RET8T1Wi.exe, 00000001.00000002.291906336.0000000002DFC000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: C6RET8T1Wi.exeVirustotal: Detection: 41%
                  Source: C6RET8T1Wi.exeReversingLabs: Detection: 37%
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile read: C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe 'C:\Users\user\Desktop\C6RET8T1Wi.exe'
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exe
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exe
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Users\user\Desktop\C6RET8T1Wi.exe C:\Users\user\Desktop\C6RET8T1Wi.exeJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C6RET8T1Wi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C6RET8T1Wi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_00905955 push es; ret 1_2_00905965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E2394C push cs; ret 1_2_04E23950
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_04E23953 push cs; ret 1_2_04E23957
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 1_2_0548AE90 push ecx; ret 1_2_0548AEA5
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 10_2_00355955 push es; ret 10_2_00355965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_00CB5955 push es; ret 13_2_00CB5965
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0163B4B0 pushad ; iretd 13_2_0163B561
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_016B0312 push 8BFFFFFFh; retf 13_2_016B0318
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeCode function: 13_2_0305CD51 push esp; iretd 13_2_0305CD5D
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.77629150782
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.77629150782
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeFile created: C:\Users\user\AppData\Roaming\ePVIisXwKSPaua.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ePVIisXwKSPaua' /XML 'C:\Users\user\AppData\Local\Temp\tmp8430.tmp'
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C6RET8T1Wi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  bar