Loading ...

Play interactive tourEdit tour

Analysis Report SOA & Invoices 440086.exe

Overview

General Information

Sample Name:SOA & Invoices 440086.exe
Analysis ID:432713
MD5:a5247d790d44aec18f5ec3e4ea037685
SHA1:26633a91c4ac686a0f26a47444fa4c15798d1d2b
SHA256:adefb18837fffc19e4477292c47b9b85d92b1fc3385b66f1a921dd84bf8a2eea
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SOA & Invoices 440086.exe (PID: 6412 cmdline: 'C:\Users\user\Desktop\SOA & Invoices 440086.exe' MD5: A5247D790D44AEC18F5EC3E4EA037685)
    • powershell.exe (PID: 6564 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SOA & Invoices 440086.exe (PID: 6668 cmdline: C:\Users\user\Desktop\SOA & Invoices 440086.exe MD5: A5247D790D44AEC18F5EC3E4EA037685)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "framafilmsint@framafilms.comlister11mail.framafilms.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.496465103.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.496465103.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000000.257856351.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000000.257856351.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.SOA & Invoices 440086.exe.3d3c548.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.SOA & Invoices 440086.exe.3d3c548.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.SOA & Invoices 440086.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.SOA & Invoices 440086.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.SOA & Invoices 440086.exe.3e591c8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\SOA & Invoices 440086.exe' , ParentImage: C:\Users\user\Desktop\SOA & Invoices 440086.exe, ParentProcessId: 6412, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe', ProcessId: 6564

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "framafilmsint@framafilms.comlister11mail.framafilms.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SOA & Invoices 440086.exeVirustotal: Detection: 25%Perma Link
                      Source: SOA & Invoices 440086.exeReversingLabs: Detection: 17%
                      Machine Learning detection for sampleShow sources
                      Source: SOA & Invoices 440086.exeJoe Sandbox ML: detected
                      Source: 5.2.SOA & Invoices 440086.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.SOA & Invoices 440086.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: SOA & Invoices 440086.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SOA & Invoices 440086.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\cjdyqHVUBe\src\obj\x86\Debug\OverideEventProvider.pdb source: SOA & Invoices 440086.exe
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_011089D8
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_011089C9
                      Source: global trafficTCP traffic: 192.168.2.7:49752 -> 185.220.245.14:587
                      Source: Joe Sandbox ViewIP Address: 185.220.245.14 185.220.245.14
                      Source: Joe Sandbox ViewASN Name: SEEWEBWebhostingcolocationandcloudservicesIT SEEWEBWebhostingcolocationandcloudservicesIT
                      Source: global trafficTCP traffic: 192.168.2.7:49752 -> 185.220.245.14:587
                      Source: unknownDNS traffic detected: queries for: mail.framafilms.com
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: powershell.exe, 00000002.00000002.334306664.0000000000A37000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.508196648.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: http://mail.framafilms.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260304981.0000000002C51000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.335650610.0000000004591000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.270159308.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: http://xDvmSt.com
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.507912865.0000000002D72000.00000004.00000001.sdmp, SOA & Invoices 440086.exe, 00000005.00000003.484944761.0000000000E04000.00000004.00000001.sdmpString found in binary or memory: https://pU6NdWQcDtRIHGBxR.com
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.262852424.0000000003C59000.00000004.00000001.sdmp, SOA & Invoices 440086.exe, 00000005.00000002.496465103.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.503343009.0000000002B01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.259550635.0000000000D58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.SOA & Invoices 440086.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b12FF4530u002dFEC9u002d460Fu002dBB79u002d2D52E17190A6u007d/u0038695B17Bu002d0BD1u002d49D5u002dB560u002dF76DA5ECA03B.csLarge array initialization: .cctor: array initializer size 11960
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: SOA & Invoices 440086.exe
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_0067A90E1_2_0067A90E
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_006763D51_2_006763D5
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_00FCC2B01_2_00FCC2B0
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_00FC99701_2_00FC9970
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011014181_2_01101418
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011034001_2_01103400
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011057451_2_01105745
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_01107B181_2_01107B18
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_01101CE81_2_01101CE8
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011010D01_2_011010D0
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011053401_2_01105340
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 1_2_011092901_2_01109290
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078066202_2_07806620
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0780E6642_2_0780E664
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078055A82_2_078055A8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078055B82_2_078055B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0780F4072_2_0780F407
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078146E82_2_078146E8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078162A82_2_078162A8
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_0073A90E5_2_0073A90E
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_007363D55_2_007363D5
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_00F546A05_2_00F546A0
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_00F546185_2_00F54618
                      Source: SOA & Invoices 440086.exe, 00000001.00000003.242268248.0000000003F68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.273926353.000000000E630000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.272819367.0000000008870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260304981.0000000002C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNFdPzhEyLJjKbrEDZupXKhqNAcmKaqwKUmvRjKF.exe4 vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.259021649.0000000000766000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOverideEventProvider.exeZ vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.262852424.0000000003C59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.274761434.000000000E720000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.274761434.000000000E720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.511084175.00000000061D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000005.00000000.257551212.0000000000826000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOverideEventProvider.exeZ vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.496465103.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameNFdPzhEyLJjKbrEDZupXKhqNAcmKaqwKUmvRjKF.exe4 vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exe, 00000005.00000002.501518547.0000000000FEA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exeBinary or memory string: OriginalFilenameOverideEventProvider.exeZ vs SOA & Invoices 440086.exe
                      Source: SOA & Invoices 440086.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SOA & Invoices 440086.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.SOA & Invoices 440086.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.SOA & Invoices 440086.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@1/1
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA & Invoices 440086.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xul1hgna.ujz.ps1Jump to behavior
                      Source: SOA & Invoices 440086.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: SOA & Invoices 440086.exe, 00000001.00000002.260380689.0000000002C94000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: SOA & Invoices 440086.exeVirustotal: Detection: 25%
                      Source: SOA & Invoices 440086.exeReversingLabs: Detection: 17%
                      Source: unknownProcess created: C:\Users\user\Desktop\SOA & Invoices 440086.exe 'C:\Users\user\Desktop\SOA & Invoices 440086.exe'
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess created: C:\Users\user\Desktop\SOA & Invoices 440086.exe C:\Users\user\Desktop\SOA & Invoices 440086.exe
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SOA & Invoices 440086.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess created: C:\Users\user\Desktop\SOA & Invoices 440086.exe C:\Users\user\Desktop\SOA & Invoices 440086.exeJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SOA & Invoices 440086.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SOA & Invoices 440086.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SOA & Invoices 440086.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\cjdyqHVUBe\src\obj\x86\Debug\OverideEventProvider.pdb source: SOA & Invoices 440086.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SOA & Invoices 440086.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SOA & Invoices 440086.exe.670000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SOA & Invoices 440086.exe.670000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.SOA & Invoices 440086.exe.730000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.SOA & Invoices 440086.exe.730000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00B9CE51 push es; ret 2_2_00B9CE60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0780EA60 push FFFFFF8Bh; iretd 2_2_0780EA62
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_00DEE28A push eax; ret 5_2_00DEE349
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeCode function: 5_2_00DED95C push eax; ret 5_2_00DED95D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86375935419
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA & Invoices 440086.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      bar