Loading ...

Play interactive tourEdit tour

Windows Analysis Report SlipMT103.exe

Overview

General Information

Sample Name:SlipMT103.exe
Analysis ID:528729
MD5:5cbac1b17cef2bc95f5b18f87ec1de49
SHA1:85d362c8463eaaf6c071414f741f32bd4cc51f0c
SHA256:29291b4fb097c75dc3ecf4787a03175ec150319e9ab97a96b6084d1fe2dae2a5
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SlipMT103.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\SlipMT103.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
    • SlipMT103.exe (PID: 6456 cmdline: C:\Users\user\Desktop\SlipMT103.exe MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • kprUEGC.exe (PID: 2900 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
    • kprUEGC.exe (PID: 988 cmdline: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • kprUEGC.exe (PID: 6272 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "administracion@aquanova.es", "Password": "Aquaribe2419*", "Host": "mail.aquanova.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SlipMT103.exe.3c27038.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SlipMT103.exe.3c27038.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                10.2.kprUEGC.exe.44a0e18.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  10.2.kprUEGC.exe.44a0e18.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    12.0.kprUEGC.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 39 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.SlipMT103.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "administracion@aquanova.es", "Password": "Aquaribe2419*", "Host": "mail.aquanova.es"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SlipMT103.exeReversingLabs: Detection: 40%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 40%
                      Source: 1.0.SlipMT103.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.SlipMT103.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: SlipMT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SlipMT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 51.83.52.225 51.83.52.225
                      Source: global trafficTCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: global trafficTCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SlipMT103.exe, 00000001.00000002.628274243.0000000002AAE000.00000004.00000001.sdmpString found in binary or memory: http://3jx9Nc9mcrIeyBPlhe.org
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://DrWvWz.com
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://defaultcontainer/Views/MainWindow.xaml
                      Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://foo/Views/MainWindow.xaml
                      Source: SlipMT103.exe, 00000001.00000002.628449891.0000000002AFF000.00000004.00000001.sdmpString found in binary or memory: http://mail.aquanova.es
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, SlipMT103.exe, 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.aquanova.es
                      Source: SlipMT103.exe, 00000000.00000002.359649304.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.0.SlipMT103.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: SlipMT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00685C240_2_00685C24
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00686DBD0_2_00686DBD
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_011082500_2_01108250
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_0110D2F80_2_0110D2F8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_0528F5380_2_0528F538
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00456DBD1_2_00456DBD
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_0093CC881_2_0093CC88
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009341301_2_00934130
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009395281_2_00939528
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009316ED1_2_009316ED
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00934BD81_2_00934BD8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_0093CC291_2_0093CC29
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009345B81_2_009345B8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8ED301_2_00B8ED30
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B826181_2_00B82618
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8CE401_2_00B8CE40
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B81FF01_2_00B81FF0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8ED781_2_00B8ED78
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B88FF81_2_00B88FF8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C285E01_2_00C285E0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C216201_2_00C21620
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C296B01_2_00C296B0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C26AF81_2_00C26AF8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C27CF01_2_00C27CF0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C21F901_2_00C21F90
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00CAA2281_2_00CAA228
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00CA37641_2_00CA3764
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_027347A01_2_027347A0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_02733CCC1_2_02733CCC
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_027346B01_2_027346B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE5C2410_2_00EE5C24
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE6DBD10_2_00EE6DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_0177825010_2_01778250
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_0177D2F810_2_0177D2F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059BF53810_2_059BF538
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B5AB010_2_059B5AB0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B5AA010_2_059B5AA0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00726DBD12_2_00726DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_04F047A012_2_04F047A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_04F046B012_2_04F046B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00976DBD13_2_00976DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00975C2413_2_00975C24
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.363621555.0000000005A00000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.359463739.0000000000700000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.364091388.0000000005F80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000000.355626536.00000000004D0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000002.621068774.00000000008F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SlipMT103.exe
                      Source: SlipMT103.exeBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SlipMT103.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Users\user\Desktop\SlipMT103.exe:Zone.IdentifierJump to behavior
                      Source: SlipMT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SlipMT103.exe "C:\Users\user\Desktop\SlipMT103.exe"
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlipMT103.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/5@1/1
                      Source: C:\Users\user\Desktop\SlipMT103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: SlipMT103.exeString found in binary or memory: views/addbook.baml
                      Source: SlipMT103.exeString found in binary or memory: views/addcustomer.baml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: SlipMT103.exeString found in binary or memory: views/addbook.baml
                      Source: SlipMT103.exeString found in binary or memory: views/addcustomer.baml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: Y/IArraySortHelp;component/views/addbook.xamlo/IArraySortHelp;component/views/borrowfrombookview.xamle/IArraySortHelp;component/views/borrowingview.xaml_/IArraySortHelp;component/views/changebook.xamlg/IArraySortHelp;component/views/changecustomer.xamlc/IArraySortHelp;component/views/customerview.xamlg/IArraySortHelp;component/views/deletecustomer.xaml]/IArraySortHelp;component/views/errorview.xamla/IArraySortHelp;component/views/smallextras.xamla/IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SlipMT103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SlipMT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SlipMT103.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: kprUEGC.exe.1.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00689361 push ds; retf 0_2_00689364
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_006892F5 push ds; ret 0_2_00689340
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00689347 push ds; ret 0_2_0068934C
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00459347 push ds; ret 1_2_0045934C
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00459361 push ds; retf 1_2_00459364
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_004592F5 push ds; ret 1_2_00459340
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00939EF8 push eax; ret 1_2_00939EF9
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00933F65 push esp; iretd 1_2_00933F66
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B87E3F push edi; retn 0000h1_2_00B87E41
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE9361 push ds; retf 10_2_00EE9364
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE92F5 push ds; ret 10_2_00EE9340
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE9347 push ds; ret 10_2_00EE934C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B56E0 push esp; iretd 10_2_059B56E9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_007292F5 push ds; ret 12_2_00729340
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00729361 push ds; retf 12_2_00729364
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00729347 push ds; ret 12_2_0072934C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00979347 push ds; ret 13_2_0097934C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_009792F5 push ds; ret 13_2_00979340
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00979361 push ds; retf 13_2_00979364
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88568951342
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88568951342
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX