Loading ...

Play interactive tourEdit tour

Analysis Report DETALLE DE CITACION FISCAL PENDIENTE.exe

Overview

General Information

Sample Name:DETALLE DE CITACION FISCAL PENDIENTE.exe
Analysis ID:399029
MD5:014700e8b066195a838cc64e2a92f8d2
SHA1:38df508905566b855bd05ad79adc09740807bac4
SHA256:09df870092fdf14100cf041139efcf165933d0d50c6ac8bf06fdf3116f63cfa2
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • DETALLE DE CITACION FISCAL PENDIENTE.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' MD5: 014700E8B066195A838CC64E2A92F8D2)
    • powershell.exe (PID: 6888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7048 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6352 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6212 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "fransiscolopesierraazul09.duckdns.org", "Ports": "1884", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "chrome.exe", "AES_key": "lgXmK2AdmNpdoXMEQOfnc9bPH6KQZTeV", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAK8zaZwRZ+fUWJcLHGATZzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTEyMTg0NTIwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMdIblOtWCpzNPqAOf1S+7vlC2kB/dxtq8f4H/YsqylaofoKNpxtFlRjT/B6NvNf7WO7iRO1Wv63pLuAvC5P0ASCzR8ElerFsCE5g4vSxLroVyS+ZJqHhABcS0k6Yr4Le74d21K5SHdVTUxNx4aMMPM7Wij7KSidRMxnrYj3GhtSugZrsKdiR8zctm3oYmjlaXhTufW7eKAXH+qv4GQ/KwbiftPX8oevKp4ZNkCNWTbBVQxaaGoxcumt55tpzFBJL3+IolneUn5nNR8Cq5kXaNZ0KmyrnI2wQZuEVRLNLuJ+IAvLYSk3a/tnXqj1idH7E5Y56T8jh1IBlI5fZUTd8itqy8Lg2yd7pXPwwNDfDCvsMNAgVQI9pfbFqFlxaH7UR3pfGm7JT8DGZtbdfkYfhzR4Ju4DiDzteiOGnBPRdgZgrCL5m7QLq7xsAALwj7TuKwKA6dCnJz3PEu27YTCL1O8jtDp70bdFhrdcyXL9KTfglnHB8lP15Kz8P8nRbF/g4BsdPsrTIZ/NYfQCxrXUtTQcveqFrFFqOhrE5aRF1pWeyIJ52Ka6xNRgPVASO1MTnL3yG8GKQjDnk4wIlm4uM3ufbAsbwOYfh2ll4KSXBDDgsOJpLz0timY1UFS6oXwIEslSEMcjF5OTILR1d4UtKwLVwmMbF5crW5ufUtt0vIbVAgMBAAGjMjAwMB0GA1UdDgQWBBShXknMhPHeKKrbZAXIhLhm8U3CjDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBcj5Aj1xn/V/dBNocX1bVrsvoaeWl7XLx8MqCzGUHDu3rRzi/BnmOlA++JvpUgrQVNo4gxbddI1fGD2cECn0dni1in5NpvczXK0VggYbY+R2QgGvlZkw6vZAPbvXjFib1B/aG5jozaGqzStpUvasLmQyOEq0x61QypqWhWzR92NHk2ENzVG2q0jPmDyCZok0fuVerklsjYBXx66+M29oJeJfJ3Br2etGOeIKaSpTXAxia7a2e2C/T55lj3dl5kRDwSR23BA4j0s4xBar58Pmck8RvdN/1aSoeijARmQj1HKNX0D0y99JowcvnHwCVdaKEVK9WDY3tFJ84bGlBtuNzU1fHxrQ2iw74ewmJHLJmTQAi/boMRZsci+acpLJ+w2YIozlxfbZefo99l5rx2pCmw9fYCVVyOxffsvVunJsgHZRh88Yr6oN4ScVjN/AUHrZh/MLULKD2n5TnBXWTa6fvOrZDTj/ZyLVhVSykMWRgRerOht4B2NtKV54iKTkdq8Jf6bIpgWhZ8M7YP/c/izEWivyFsU6Z9KILUphsp8MXfgmpmE9JOo1Ql2bd0zdq27yRbMQcXETY8/+hLdwLlfPGZPgbIaz1GCfR5bCTqGAnA/nyaIV3Af123SOhVLqiShrFxc6bHJDcQ/XVyHR11wFtdoPfND62mjIV92DS8rq+Ujw==", "ServerSignature": "Pw96XxaDe2x7HSuJBGLyoPxR1knhEb1jaQuRXy8hfmSJ2KptZyjGa/SxfuATWiNGvk77/3yI5i0mB1KdcWJnYHDU1nnQN34n2zEt0IMI/nXuc/S68k0gL5VKXrgg+zszCWE1YIdExcnW/m8Toda0pFNAf86GXcFYzruiWS3HXJaBB3fT4cw0JLvaa5RoJNKInCOY2WQGMN5T+69azKJDeP7fS3yVIzsrBEp0+64Toocj1lynO9Bbzo5r2Gj8m9ERMbbjIuGXvhd8tlueqpVT0+dvf3cj3v5C/Uoeg2lpnGiJiIOD7vgbQBFq9wXf+blQEi0SofZMe6jX3NlGVcdWTPD4jVToiv20Z17G+LnXSXcsGaiARuMiJLVkpJhUR80EEBTPDFwpfo2Und5u+tTD8Xmdg7Rmz4029KmpGImLf4byk0aXckpNUF1oHsdnBWFgfn/C/uAf6fv1xpa5M1sq4Bl6wdPkzFSR0nbWtPK2cfwh8aRF9Cm/OGMy83Ne2REbs7oEjnfm9tlELIketDhDKpkzsL/bPZvnFHzQCSvb3BFg8iRs0hdZYIbjGLGI8j9M8PovRuq+V3s53BI0cV76TK7CtZhjXcB9rYGRQHXVlxffAInM8qgh8/HcXVc+M8O9apuMdNrh5eewNv49Nlh7wlHA9oPNvAYJ+Q5JaNJSnXM=", "Group": "Default"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' , ParentImage: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', ProcessId: 7048

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "fransiscolopesierraazul09.duckdns.org", "Ports": "1884", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "chrome.exe", "AES_key": "lgXmK2AdmNpdoXMEQOfnc9bPH6KQZTeV", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAK8zaZwRZ+fUWJcLHGATZzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTEyMTg0NTIwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMdIblOtWCpzNPqAOf1S+7vlC2kB/dxtq8f4H/YsqylaofoKNpxtFlRjT/B6NvNf7WO7iRO1Wv63pLuAvC5P0ASCzR8ElerFsCE5g4vSxLroVyS+ZJqHhABcS0k6Yr4Le74d21K5SHdVTUxNx4aMMPM7Wij7KSidRMxnrYj3GhtSugZrsKdiR8zctm3oYmjlaXhTufW7eKAXH+qv4GQ/KwbiftPX8oevKp4ZNkCNWTbBVQxaaGoxcumt55tpzFBJL3+IolneUn5nNR8Cq5kXaNZ0KmyrnI2wQZuEVRLNLuJ+IAvLYSk3a/tnXqj1idH7E5Y56T8jh1IBlI5fZUTd8itqy8Lg2yd7pXPwwNDfDCvsMNAgVQI9pfbFqFlxaH7UR3pfGm7JT8DGZtbdfkYfhzR4Ju4DiDzteiOGnBPRdgZgrCL5m7QLq7xsAALwj7TuKwKA6dCnJz3PEu27YTCL1O8jtDp70bdFhrdcyXL9KTfglnHB8lP15Kz8P8nRbF/g4BsdPsrTIZ/NYfQCxrXUtTQcveqFrFFqOhrE5aRF1pWeyIJ52Ka6xNRgPVASO1MTnL3yG8GKQjDnk4wIlm4uM3ufbAsbwOYfh2ll4KSXBDDgsOJpLz0timY1UFS6oXwIEslSEMcjF5OTILR1d4UtKwLVwmMbF5crW5ufUtt0vIbVAgMBAAGjMjAwMB0GA1UdDgQWBBShXknMhPHeKKrbZAXIhLhm8U3CjDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBcj5Aj1xn/V/dBNocX1bVrsvoaeWl7XLx8MqCzGUHDu3rRzi/BnmOlA++JvpUgrQVNo4gxbddI1fGD2cECn0dni1in5NpvczXK0VggYbY+R2QgGvlZkw6vZAPbvXjFib1B/aG5jozaGqzStpUvasLmQyOEq0x61QypqWhWzR92NHk2ENzVG2q0jPmDyCZok0fuVerklsjYBXx66+M29oJeJfJ3Br2etGOeIKaSpTXAxia7a2e2C/T55lj3dl5kRDwSR23BA4j0s4xBar58Pmck8RvdN/1aSoeijARmQj1HKNX0D0y99JowcvnHwCVdaKEVK9WDY3tFJ84bGlBtuNzU1fHxrQ2iw74ewmJHLJmTQAi/boMRZsci+acpLJ+w2YIozlxfbZefo99l5rx2pCmw9fYCVVyOxffsvVunJsgHZRh88Yr6oN4ScVjN/AUHrZh/MLULKD2n5TnBXWTa6fvOrZDTj/ZyLVhVSykMWRgRerOht4B2NtKV54iKTkdq8Jf6bIpgWhZ8M7YP/c/izEWivyFsU6Z9KILUphsp8MXfgmpmE9JOo1Ql2bd0zdq27yRbMQcXETY8/+hLdwLlfPGZPgbIaz1GCfR5bCTqGAnA/nyaIV3Af123SOhVLqiShrFxc6bHJDcQ/XVyHR11wFtdoPfND62mjIV92DS8rq+Ujw==", "ServerSignature": "Pw96XxaDe2x7HSuJBGLyoPxR1knhEb1jaQuRXy8hfmSJ2KptZyjGa/SxfuATWiNGvk77/3yI5i0mB1KdcWJnYHDU1nnQN34n2zEt0IMI/nXuc/S68k0gL5VKXrgg+zszCWE1YIdExcnW/m8Toda0pFNAf86GXcFYzruiWS3HXJaBB3fT4cw0JLvaa5RoJNKInCOY2WQGMN5T+69azKJDeP7fS3yVIzsrBEp0+64Toocj1lynO9Bbzo5r2Gj8m9ERMbbjIuGXvhd8tlueqpVT0+dvf3cj3v5C/Uoeg2lpnGiJiIOD7vgbQBFq9wXf+blQEi0SofZMe6jX3NlGVcdWTPD4jVToiv20Z17G+LnXSXcsGaiARuMiJLVkpJhUR80EEBTPDFwpfo2Und5u+tTD8Xmdg7Rmz4029KmpGImLf4byk0aXckpNUF1oHsdnBWFgfn/C/uAf6fv1xpa5M1sq4Bl6wdPkzFSR0nbWtPK2cfwh8aRF9Cm/OGMy83Ne2REbs7oEjnfm9tlELIketDhDKpkzsL/bPZvnFHzQCSvb3BFg8iRs0hdZYIbjGLGI8j9M8PovRuq+V3s53BI0cV76TK7CtZhjXcB9rYGRQHXVlxffAInM8qgh8/HcXVc+M8O9apuMdNrh5eewNv49Nlh7wlHA9oPNvAYJ+Q5JaNJSnXM=", "Group": "Default"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeVirustotal: Detection: 39%Perma Link
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeReversingLabs: Detection: 34%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeJoe Sandbox ML: detected
                      Source: 17.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 201.219.204.73:1884 -> 192.168.2.5:49715
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: fransiscolopesierraazul09.duckdns.org
                      Uses dynamic DNS servicesShow sources
                      Source: unknownDNS query: name: fransiscolopesierraazul09.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49715 -> 201.219.204.73:1884
                      Source: unknownDNS traffic detected: queries for: fransiscolopesierraazul09.duckdns.org
                      Source: powershell.exe, 00000006.00000002.438960521.0000000002C76000.00000004.00000020.sdmp, RegSvcs.exe, 00000011.00000002.535454436.0000000001828000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 0000000E.00000003.433007455.0000000009A1A000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
                      Source: RegSvcs.exe, 00000011.00000002.535097444.00000000017C4000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: RegSvcs.exe, 00000011.00000002.535454436.0000000001828000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.17.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: RegSvcs.exe, 00000011.00000003.317518074.00000000059E1000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.267795283.000000000149D000.00000004.00000001.sdmpString found in binary or memory: http://en.wL
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.440969339.0000000004831000.00000004.00000001.sdmp, RegSvcs.exe, 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.274703851.0000000005D5D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ2
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com$Y
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comQY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcCY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270034154.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270261935.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-dS
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz_%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0I
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com_Bz(
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krA9
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-Y
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268587606.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcI
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269188528.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnQY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268562061.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comzY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000006.00000003.407431731.0000000005360000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412901050.0000000004EE7000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.421567427.000000000590C000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeCode function: 0_2_0147C2B00_2_0147C2B0
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeCode function: 0_2_014799900_2_01479990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174953017_2_01749530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174D5E017_2_0174D5E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01748C6017_2_01748C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174F29817_2_0174F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174891817_2_01748918
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.293215604.00000000009DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTokenListCount.exej% vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322043279.000000000DAC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322993718.000000000DBC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322993718.000000000DBC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.318436307.0000000007690000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeBinary or memory string: OriginalFilenameTokenListCount.exej% vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PZiCrodPdRhuJR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: PZiCrodPdRhuJR.exe.0.dr, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: PZiCrodPdRhuJR.exe.0.dr, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@1/1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_01
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMutant created: \Sessions\1\BaseNamedObjects\yYDdTnLvJsPSJaGTuEoCj
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1D6B.tmpJump to behavior
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000000.263855744.0000000000912000.00000002.00020000.sdmpBinary or memory string: SELECT DATE(C.`date_created`) AS `DATE`,i.name AS `INSTITUTION NAME`, b.`BranchName` AS `BRANCH`, coltrs.`name` AS `COLLECTOR NAME`, c.id AS `CUSTOMER ID`, c.`name` AS `CUSTOMER FULL NAME`, c.`first_name` AS `FIRST NAME`, c.`last_name` AS `LAST NAME`,C.`email` AS `EMAIL`, C.`phone` AS `PHONE NUMBER`, C.`gender` AS `GENDER`, C.`address` AS `ADDRESS`, c.`id_type` AS `ID TYPE`, c.`card_no` AS `ID NUMBER`, c.`account_type` AS `ACCOUNT TYPE`,c.`account_no` AS `ACCOUNT NUMBER`,c.`balance` AS `BALANCE`,c.`status` AS `STATUS` FROM customers c INNER JOIN institutions i ON c.institution_id = i.id INNER JOIN branch b ON c.`Branchid`=b.`id` INNER JOIN collectors coltrs ON c.`collector_id`=coltrs.`id` INNER JOIN customers ctmrs ON c.`customer_id`=ctmrs.`id` WHERE A ORDER BY `CUSTOMER FULL NAME`eExcel files (*.xlsx)|*.xlsx|XLS Files (*.xls)|*xls]Provider=Microsoft.ACE.OLEDB.12.0;Data Source=A;Extended Properties=Excel 12.0;/Select * From [Sheet1$]
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeVirustotal: Detection: 39%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile read: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: PZiCrodPdRhuJR.exe.0.dr, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5949673099
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5949673099
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe