Loading ...

Play interactive tourEdit tour

Analysis Report Order_80000000000_img.exe

Overview

General Information

Sample Name:Order_80000000000_img.exe
MD5:80ebba810d72a169d87bac6fa5592fda
SHA1:80441ed4ed5d6f639d003a2e8f14d48ebf14d1cc
SHA256:5f1f3bec4b73a162c6560aba5a4f0834f30a8e94d7964bd757ac1161665fea35

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Order_80000000000_img.exe (PID: 5356 cmdline: 'C:\Users\user\Desktop\Order_80000000000_img.exe' MD5: 80EBBA810D72A169D87BAC6FA5592FDA)
    • powershell.exe (PID: 5252 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 1684 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • netsh.exe (PID: 1984 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1467321730.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1229600155.0000000003B06000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1230398354.0000000003D12000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.1469291475.00000000029A0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1230842425.0000000003F5E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentImage: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentProcessId: 1684, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 1984
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\Order_80000000000_img.exe' , ParentImage: C:\Users\user\Desktop\Order_80000000000_img.exe, ParentProcessId: 5356, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 1684

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Order_80000000000_img.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: Order_80000000000_img.exeVirustotal: Detection: 42%Perma Link
              Source: Order_80000000000_img.exeReversingLabs: Detection: 67%
              Machine Learning detection for sampleShow sources
              Source: Order_80000000000_img.exeJoe Sandbox ML: detected
              Source: 5.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.6:49946 -> 185.51.202.58:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.6:49947 -> 185.51.202.58:62857
              Source: global trafficTCP traffic: 192.168.2.6:49947 -> 185.51.202.58:62857
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 185.51.202.58:21 -> 192.168.2.6:49946 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:22. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:22. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 05:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: AddInProcess32.exe, 00000005.00000002.1469886820.0000000002B86000.00000004.00000001.sdmpString found in binary or memory: http://ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000005.00000002.1469886820.0000000002B86000.00000004.00000001.sdmpString found in binary or memory: http://mfy0hHnXL0I7WIq.org
              Source: AddInProcess32.exe, 00000005.00000002.1469886820.0000000002B86000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: AddInProcess32.exe, 00000005.00000002.1469607927.0000000002AAB000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: Order_80000000000_img.exe, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.0.Order_80000000000_img.exe.570000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.2.Order_80000000000_img.exe.570000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Order_80000000000_img.exe
              Source: initial sampleStatic PE information: Filename: Order_80000000000_img.exe
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_006F20505_2_006F2050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02805AD05_2_02805AD0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280F0185_2_0280F018
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028010605_2_02801060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028086005_2_02808600
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028007905_2_02800790
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02807FC95_2_02807FC9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02802C985_2_02802C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028004485_2_02800448
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804ABD5_2_02804ABD
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280421B5_2_0280421B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804A735_2_02804A73
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028042785_2_02804278
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028043925_2_02804392
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804B965_2_02804B96
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028043D95_2_028043D9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804BE05_2_02804BE0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028043045_2_02804304
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280434B5_2_0280434B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804B4C5_2_02804B4C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028048C15_2_028048C1
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028040EC5_2_028040EC
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028040FF5_2_028040FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280F0075_2_0280F007
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280482D5_2_0280482D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028048775_2_02804877
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280418D5_2_0280418D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02802C985_2_02802C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280499A5_2_0280499A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028041D45_2_028041D4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280D9D85_2_0280D9D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028049E45_2_028049E4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028039F55_2_028039F5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028041465_2_02804146
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028049505_2_02804950
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028046C55_2_028046C5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028046315_2_02804631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280467B5_2_0280467B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280479E5_2_0280479E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028027C85_2_028027C8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028027D85_2_028027D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028017D85_2_028017D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028047545_2_02804754
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02803F605_2_02803F60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028044AE5_2_028044AE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804CBE5_2_02804CBE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028044205_2_02804420
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804C2A5_2_02804C2A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028044675_2_02804467
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804C745_2_02804C74
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804D975_2_02804D97
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028045E75_2_028045E7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02804D085_2_02804D08
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0280450E5_2_0280450E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_02803D1F5_2_02803D1F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_028045585_2_02804558
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E45605_2_051E4560
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E95B85_2_051E95B8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E16405_2_051E1640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E52285_2_051E5228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E12205_2_051E1220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E89B05_2_051E89B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E95B75_2_051E95B7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E44715_2_051E4471
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E16395_2_051E1639
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E56505_2_051E5650
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E91315_2_051E9131
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E12185_2_051E1218
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E8DF35_2_051E8DF3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E8E6E5_2_051E8E6E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E89A05_2_051E89A0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_051E98495_2_051E9849
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060645C05_2_060645C0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0606F0505_2_0606F050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060658E85_2_060658E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0606B0F05_2_0606B0F0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060679D85_2_060679D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06063E805_2_06063E80
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06063E905_2_06063E90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060634685_2_06063468
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06066D505_2_06066D50
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06066D605_2_06066D60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060673A85_2_060673A8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_060658DA5_2_060658DA
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616B2385_2_0616B238
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06163E685_2_06163E68
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616BAA05_2_0616BAA0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06164AE85_2_06164AE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616F3285_2_0616F328
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616C7685_2_0616C768
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616D3E85_2_0616D3E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061630605_2_06163060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06162D885_2_06162D88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061692205_2_06169220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616EA285_2_0616EA28
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06163E5A5_2_06163E5A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616E6405_2_0616E640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616CB885_2_0616CB88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616DBE85_2_0616DBE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061630505_2_06163050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06162D785_2_06162D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061645905_2_06164590
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061645805_2_06164580
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_066803485_2_06680348
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_066800405_2_06680040
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_066828455_2_06682845
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0668160B5_2_0668160B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_066803395_2_06680339
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_066800395_2_06680039
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0668AD505_2_0668AD50
              Source: Order_80000000000_img.exe, 00000000.00000002.1223565418.00000000007CC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetIcon.exeL vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1226356375.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1226830863.0000000002DCC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1235987998.0000000006A23000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1224775036.00000000012C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs Order_80000000000_img.exe
              Source: Order_80000000000_img.exeBinary or memory string: OriginalFilenameSetIcon.exeL vs Order_80000000000_img.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/11@1/1
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeFile created: C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1692:120:WilError_01
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: Order_80000000000_img.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Order_80000000000_img.exeVirustotal: Detection: 42%
              Source: Order_80000000000_img.exeReversingLabs: Detection: 67%
              Source: unknownProcess created: C:\Users\user\Desktop\Order_80000000000_img.exe 'C:\Users\user\Desktop\Order_80000000000_img.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Order_80000000000_img.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Order_80000000000_img.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Order_80000000000_img.exeStatic file information: File size 2460672 > 1048576
              Source: Order_80000000000_img.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
              Source: Order_80000000000_img.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: AddInProcess32.pdb source: Order_80000000000_img.exe, 00000000.00000002.1235987998.0000000006A23000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: Order_80000000000_img.exe, 00000000.00000002.1235987998.0000000006A23000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000000.1148889412.00000000006F2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: Order_80000000000_img.exe, 00000000.00000002.1225015157.0000000002AB0000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0606BAAC push 8B000003h; iretd 5_2_0606BAB4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0616532C push cs; ret 5_2_0616532F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_061620E0 push es; ret 5_2_061620F8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06166D70 push es; ret 5_2_06166D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06680CE7 push 821678BAh; iretd 5_2_06680CEC
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0668BA51 push eax; ret 5_2_0668BA5D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0668DBB6 push es; ret 5_2_0668DBBC

              Source: C:\Users\user\Desktop\Order_80000000000_img.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeFile opened: C:\Users\user\Desktop\Order_80000000000_img.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeWindow / User API: threadDelayed 588Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3319Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1251Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 398Jump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exe TID: 2996Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exe TID: 3692Thread sleep count: 588 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Order_80000000000_img.exe TID: 5736Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep count: 3319 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep count: 1251 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 4824Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 5128Thread sleep count: 398 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 4824Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Order_80000000000_img.exeProcess information queried: ProcessInformationJump to behavior