Loading ...

Play interactive tourEdit tour

Windows Analysis Report 03SPwb995m

Overview

General Information

Sample Name:03SPwb995m (renamed file extension from none to exe)
Analysis ID:528805
MD5:815982590de5e574abb8a0310826e200
SHA1:6c41343a2e25f932f901e53e615cc083209f6a65
SHA256:56960095ea2eda1c680f9df0937a792e9bca7af4922931540688097e6d2a43bb
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 03SPwb995m.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\03SPwb995m.exe" MD5: 815982590DE5E574ABB8A0310826E200)
    • powershell.exe (PID: 5776 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5732 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 03SPwb995m.exe (PID: 5596 cmdline: C:\Users\user\Desktop\03SPwb995m.exe MD5: 815982590DE5E574ABB8A0310826E200)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.678751363.0000000002F7E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.03SPwb995m.exe.40065a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.03SPwb995m.exe.40065a0.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.03SPwb995m.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.03SPwb995m.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.2.03SPwb995m.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp, ProcessId: 5732
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, ProcessId: 5776
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\03SPwb995m.exe" , ParentImage: C:\Users\user\Desktop\03SPwb995m.exe, ParentProcessId: 1364, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, ProcessId: 5776
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823406173533744.5776.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.0.03SPwb995m.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 03SPwb995m.exeVirustotal: Detection: 22%Perma Link
                      Source: 03SPwb995m.exeReversingLabs: Detection: 28%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeVirustotal: Detection: 22%Perma Link
                      Source: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeReversingLabs: Detection: 28%
                      Source: 8.0.03SPwb995m.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.03SPwb995m.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.03SPwb995m.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 03SPwb995m.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 03SPwb995m.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                      Source: global trafficTCP traffic: 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: global trafficTCP traffic: 192.168.2.4:49833 -> 208.91.199.223:587
                      Source: global trafficTCP traffic: 192.168.2.4:49834 -> 208.91.199.224:587
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921843959.0000000002EFB000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921764899.0000000002EE5000.00000004.00000001.sdmpString found in binary or memory: http://1pbBaOuWGX2iibYLF.net
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://GwvXXB.com
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 03SPwb995m.exe, 00000008.00000002.921807859.0000000002EED000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.921914863.0000000002F13000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: 03SPwb995m.exe, 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmp, 03SPwb995m.exe, 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmp, 03SPwb995m.exe, 00000008.00000000.673486986.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 03SPwb995m.exe, 00000008.00000002.919026964.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                      Source: 03SPwb995m.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_008FA2A90_2_008FA2A9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBDC0C0_2_02BBDC0C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_008FA0350_2_008FA035
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0078A2A98_2_0078A2A9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_029649208_2_02964920
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_029648F28_2_029648F2
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0296DDD08_2_0296DDD0
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0078A0358_2_0078A035
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCE6768_3_00FCE676
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCE67A8_3_00FCE67A
                      Source: 03SPwb995m.exe, 00000000.00000002.677498178.00000000009B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000003.654896294.0000000003E7B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000003.677046086.000000000100F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.678411503.0000000002DD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.679115519.0000000003EAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000000.00000002.681380062.0000000005F70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000000.674499153.0000000000840000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000002.917260578.00000000009D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 03SPwb995m.exe
                      Source: 03SPwb995m.exe, 00000008.00000002.916977171.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyEzbuhvRLFNcrCDKthtrydIkQpVLoDG.exe4 vs 03SPwb995m.exe
                      Source: 03SPwb995m.exeBinary or memory string: OriginalFilenameInternalApplicationIdentityHelp.exeJ vs 03SPwb995m.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe 56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                      Source: 03SPwb995m.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: gZfDBpJYZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 03SPwb995m.exeVirustotal: Detection: 22%
                      Source: 03SPwb995m.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: 03SPwb995m.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\03SPwb995m.exe "C:\Users\user\Desktop\03SPwb995m.exe"
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Users\user\Desktop\03SPwb995m.exe C:\Users\user\Desktop\03SPwb995m.exe
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmpJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Users\user\Desktop\03SPwb995m.exe C:\Users\user\Desktop\03SPwb995m.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7B67.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@2/2
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                      Source: C:\Users\user\Desktop\03SPwb995m.exeMutant created: \Sessions\1\BaseNamedObjects\CVJFnsnVFoXysEkzODvWP
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.03SPwb995m.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.03SPwb995m.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 03SPwb995m.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 03SPwb995m.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 03SPwb995m.exe, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: gZfDBpJYZ.exe.0.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.03SPwb995m.exe.8f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.03SPwb995m.exe.8f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.9.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 8.0.03SPwb995m.exe.780000.7.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBC6BA push esp; ret 0_2_02BBC6C1
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 0_2_02BBC6B8 pushad ; ret 0_2_02BBC6B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FCBC57 push es; retf 8_3_00FCBC58
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB26E7 pushfd ; retf 8_3_00FB26E9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB10B7 push edx; iretd 8_3_00FB10B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB24A7 push es; ret 8_3_00FB24A8
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB215F push es; iretd 8_3_00FB2160
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB124C push esp; iretd 8_3_00FB1255
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB26E7 pushfd ; retf 8_3_00FB26E9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB6DCC pushad ; ret 8_3_00FB6DE5
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB10B7 push edx; iretd 8_3_00FB10B9
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB24A7 push es; ret 8_3_00FB24A8
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB818D push es; iretd 8_3_00FB824C
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB215F push es; iretd 8_3_00FB2160
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_3_00FB124C push esp; iretd 8_3_00FB1255
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110E332 push eax; ret 8_2_0110E349
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110D95C push eax; ret 8_2_0110D95D
                      Source: C:\Users\user\Desktop\03SPwb995m.exeCode function: 8_2_0110E38A push eax; ret 8_2_0110E349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                      Source: C:\Users\user\Desktop\03SPwb995m.exeFile created: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp7B67.tmp
                      Source: C:\Users\user\Desktop\03SPwb995m.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\03SPwb995m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX