Loading ...

Play interactive tourEdit tour

Analysis Report Minutes of meeting June 9th.exe

Overview

General Information

Sample Name:Minutes of meeting June 9th.exe
Analysis ID:433114
MD5:ee4b5d2d220b8b925a84755e5ad9fa06
SHA1:4bfa8d3abf280cca85905ce083fe4446ac1d4862
SHA256:31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Minutes of meeting June 9th.exe (PID: 7048 cmdline: 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe' MD5: EE4B5D2D220B8B925A84755E5AD9FA06)
    • schtasks.exe (PID: 6484 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.Minutes of meeting June 9th.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.Minutes of meeting June 9th.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.Minutes of meeting June 9th.exe.3891e68.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Minutes of meeting June 9th.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Minutes of meeting June 9th.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_078BF580
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_078BFE60
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587
                      Source: Joe Sandbox ViewASN Name: NEXCESS-NETUS NEXCESS-NETUS
                      Source: global trafficTCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587
                      Source: unknownDNS traffic detected: queries for: mail.crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://HXowME.com
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://mail.crigab.cl
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671470574.00000000027E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000005.00000002.911253197.0000000003409000.00000004.00000001.sdmpString found in binary or memory: http://wB46twoUXvvh.net
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html=
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlsA
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654314324.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654283240.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFV
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF~
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.668719407.0000000005DF0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comed
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comico
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiond
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitug
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt$
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuef
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.651787789.0000000005DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.650864868.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnesy
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Minutes of meeting June 9th.exeString found in binary or memory: http://www.google.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Hb
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652283694.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653910343.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deR
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deos
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Minutes of meeting June 9th.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.csLarge array initialization: .cctor: array initializer size 11932
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_00D9C2B01_2_00D9C2B0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_00D999A01_2_00D999A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B93B81_2_078B93B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B9B401_2_078B9B40
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078BA1401_2_078BA140
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B00401_2_078B0040
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B6F251_2_078B6F25
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B6F501_2_078B6F50
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B4D011_2_078B4D01
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078BA5301_2_078BA530
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B0BA81_2_078B0BA8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B0BA01_2_078B0BA0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43B81_2_078B43B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43B01_2_078B43B0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B43681_2_078B4368
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B51E11_2_078B51E1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B68911_2_078B6891
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B68A01_2_078B68A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B003F1_2_078B003F
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFB5811_2_07AFB581
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFBF291_2_07AFBF29
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFAE081_2_07AFAE08
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF7CB01_2_07AF7CB0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFE7A01_2_07AFE7A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF77001_2_07AF7700
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF76F11_2_07AF76F1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF02871_2_07AF0287
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF02901_2_07AF0290
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFF2F81_2_07AFF2F8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFA1D71_2_07AFA1D7
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF00061_2_07AF0006
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF00401_2_07AF0040
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFAE031_2_07AFAE03
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFEE781_2_07AFEE78
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF7CAF1_2_07AF7CAF
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFDC181_2_07AFDC18
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AFB9B81_2_07AFB9B8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B032901_2_07B03290
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B059C81_2_07B059C8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B060E01_2_07B060E0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0B9581_2_07B0B958
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0C8A01_2_07B0C8A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_002520501_2_00252050
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_004022965_2_00402296
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010E3D205_2_010E3D20
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010E9BA05_2_010E9BA0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EF2405_2_010EF240
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EAD585_2_010EAD58
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010EACA95_2_010EACA9
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_010ED0A05_2_010ED0A0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B08E85_2_011B08E8
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B2B845_2_011B2B84
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B5FB05_2_011B5FB0
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B82395_2_011B8239
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_011B87185_2_011B8718
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_009620505_2_00962050
                      Source: Minutes of meeting June 9th.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: RfuYgTevtBVukb.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Minutes of meeting June 9th.exe, 00000001.00000003.662013488.0000000005B55000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.678533661.0000000007680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681406474.0000000007C80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681584092.000000000D7D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.681334375.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeBinary or memory string: OriginalFilename vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000000.667890199.0000000000AB6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909841404.00000000010D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.910078068.000000000129A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909466399.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exe, 00000005.00000002.909867356.00000000010F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeBinary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
                      Source: Minutes of meeting June 9th.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@2/1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeMutant created: \Sessions\1\BaseNamedObjects\qIhLjPLhpIZOsEXARyaaScPRQHt
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1C49.tmpJump to behavior
                      Source: Minutes of meeting June 9th.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile read: C:\Users\user\Desktop\Minutes of meeting June 9th.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe'
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exeJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Minutes of meeting June 9th.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Minutes of meeting June 9th.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Minutes of meeting June 9th.exeStatic file information: File size 1552896 > 1048576
                      Source: Minutes of meeting June 9th.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x152a00
                      Source: Minutes of meeting June 9th.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Minutes of meeting June 9th.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_002573C3 push 0000006Fh; ret 1_2_002573CE
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B1D16 push es; retf 1_2_078B1D17
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_078B316D pushfd ; retf 0007h1_2_078B31C9
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF6659 push ds; retf 0007h1_2_07AF665A
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5E01 push ss; retf 0007h1_2_07AF5E02
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5E47 push ss; retf 0007h1_2_07AF5E4A
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07AF5DC0 push ss; retf 0007h1_2_07AF5DC2
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 1_2_07B0AA30 push dword ptr [eax+edx-75h]; iretd 1_2_07B0AAA2
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeCode function: 5_2_009673C3 push 0000006Fh; ret 5_2_009673CE
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.39720072133
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.39720072133
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeFile created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Minutes of meeting