Loading ...

Play interactive tourEdit tour

Analysis Report order_403_img.exe

Overview

General Information

Sample Name:order_403_img.exe
MD5:07901359548fb96d817c652df6bb3a33
SHA1:ae22f2b24a105bd35a19a6e89bb2b6536d27e1d9
SHA256:cea60f7a30f3b97b616185c051f4e73ed69e05984af710db7844de905848a250

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • order_403_img.exe (PID: 4484 cmdline: 'C:\Users\user\Desktop\order_403_img.exe' MD5: 07901359548FB96D817C652DF6BB3A33)
    • powershell.exe (PID: 4208 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 4760 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • netsh.exe (PID: 3488 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1202687404.0000000003140000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.941748423.0000000003B84000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.1200220250.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.943492761.0000000003D91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.944021692.0000000003FDE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentProcessId: 4760, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3488

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: order_403_img.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: order_403_img.exeVirustotal: Detection: 45%Perma Link
              Source: order_403_img.exeReversingLabs: Detection: 66%
              Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49747 -> 185.51.202.58:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.5:49748 -> 185.51.202.58:54850
              Source: global trafficTCP traffic: 192.168.2.5:49748 -> 185.51.202.58:54850
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 185.51.202.58:21 -> 192.168.2.5:49747 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 06:22. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 06:22. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 06:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 06:22. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: unknownDNS traffic detected: queries for: ftp.behnazgroup.ir
              Source: RegAsm.exe, 00000005.00000002.1203347556.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: http://ftp.behnazgroup.ir
              Source: RegAsm.exe, 00000005.00000002.1203347556.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegAsm.exe, 00000005.00000002.1203347556.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: https://mUqGkCbSAsfs62UzYn.com

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: order_403_img.exe, Ru002ae/u0037zu002a.csLarge array initialization: zD|: array initializer size 58880
              Source: 0.2.order_403_img.exe.570000.0.unpack, Ru002ae/u0037zu002a.csLarge array initialization: zD|: array initializer size 58880
              Source: 0.0.order_403_img.exe.570000.0.unpack, Ru002ae/u0037zu002a.csLarge array initialization: zD|: array initializer size 58880
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: order_403_img.exe
              Source: initial sampleStatic PE information: Filename: order_403_img.exe
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8EC80 CreateProcessAsUserW,0_2_00E8EC80
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8E7590_2_00E8E759
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8294F0_2_00E8294F
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8DF560_2_00E8DF56
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E88EB80_2_00E88EB8
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E88EB70_2_00E88EB7
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E811C80_2_00E811C8
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8DF670_2_00E8DF67
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_00CE3DFE5_2_00CE3DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C10605_2_012C1060
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CF0525_2_012CF052
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C04485_2_012C0448
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C2C985_2_012C2C98
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C87505_2_012C8750
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C07905_2_012C0790
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C7FD85_2_012C7FD8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C41465_2_012C4146
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C49505_2_012C4950
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C418D5_2_012C418D
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C2C985_2_012C2C98
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C499A5_2_012C499A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C49E45_2_012C49E4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C39F55_2_012C39F5
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C41D45_2_012C41D4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C482D5_2_012C482D
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CF00B5_2_012CF00B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C48775_2_012C4877
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C40FF5_2_012C40FF
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C48C15_2_012C48C1
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C43045_2_012C4304
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4B4C5_2_012C4B4C
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C434B5_2_012C434B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4B965_2_012C4B96
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C43925_2_012C4392
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CD3EE5_2_012CD3EE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4BE05_2_012C4BE0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C43D95_2_012C43D9
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C421B5_2_012C421B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C42785_2_012C4278
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4A735_2_012C4A73
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4ABD5_2_012C4ABD
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C450E5_2_012C450E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4D085_2_012C4D08
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C3D1F5_2_012C3D1F
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C45585_2_012C4558
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4D975_2_012C4D97
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C45E75_2_012C45E7
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4C2A5_2_012C4C2A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C44205_2_012C4420
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C44675_2_012C4467
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4C745_2_012C4C74
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C44AE5_2_012C44AE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C4CBE5_2_012C4CBE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C3F605_2_012C3F60
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C47545_2_012C4754
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C479E5_2_012C479E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C27C85_2_012C27C8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C27D85_2_012C27D8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C46315_2_012C4631
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C467B5_2_012C467B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C46C55_2_012C46C5
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668F2705_2_0668F270
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066834685_2_06683468
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066858E85_2_066858E8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668B0A05_2_0668B0A0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066879E85_2_066879E8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066845C05_2_066845C0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066812085_2_06681208
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06683E8B5_2_06683E8B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06683E905_2_06683E90
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066873A85_2_066873A8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066858DB5_2_066858DB
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668B0935_2_0668B093
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06686D605_2_06686D60
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06686D505_2_06686D50
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687BAA05_2_0687BAA0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06874AE85_2_06874AE8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687B2385_2_0687B238
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06873E685_2_06873E68
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068743A55_2_068743A5
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687D3E85_2_0687D3E8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687F3285_2_0687F328
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687C7685_2_0687C768
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068730605_2_06873060
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06872D885_2_06872D88
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068792205_2_06879220
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687EA285_2_0687EA28
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687E6405_2_0687E640
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06873E5B5_2_06873E5B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687CB885_2_0687CB88
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687DBE85_2_0687DBE8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068730505_2_06873050
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068745805_2_06874580
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068745905_2_06874590
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687A9765_2_0687A976
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06872D785_2_06872D78
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C903485_2_06C90348
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C900405_2_06C90040
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C928455_2_06C92845
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C9160B5_2_06C9160B
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C903395_2_06C90339
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C900395_2_06C90039
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C9AD505_2_06C9AD50
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
              Source: order_403_img.exeBinary or memory string: OriginalFilename vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000000.777402228.0000000000572000.00000002.00020000.sdmpBinary or memory string: OriginalFilename403.exeD vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.938952032.0000000002D69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.938952032.0000000002D69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.939361492.0000000002E4D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.937713005.0000000002910000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.937975238.0000000002B30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs order_403_img.exe
              Source: order_403_img.exe, 00000000.00000002.951286994.0000000006A0D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs order_403_img.exe
              Source: order_403_img.exeBinary or memory string: OriginalFilename403.exeD vs order_403_img.exe
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/11@1/1
              Source: C:\Users\user\Desktop\order_403_img.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1180:120:WilError_01
              Source: C:\Users\user\Desktop\order_403_img.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: order_403_img.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\order_403_img.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: order_403_img.exeVirustotal: Detection: 45%
              Source: order_403_img.exeReversingLabs: Detection: 66%
              Source: unknownProcess created: C:\Users\user\Desktop\order_403_img.exe 'C:\Users\user\Desktop\order_403_img.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\order_403_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: order_403_img.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: order_403_img.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: order_403_img.exeStatic file information: File size 2458624 > 1048576
              Source: order_403_img.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x257a00
              Source: order_403_img.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: order_403_img.exe, 00000000.00000002.938952032.0000000002D69000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: order_403_img.exe, 00000000.00000002.938952032.0000000002D69000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: order_403_img.exe, 00000000.00000002.937975238.0000000002B30000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb source: order_403_img.exe, 00000000.00000002.951286994.0000000006A0D000.00000004.00000001.sdmp, RegAsm.exe, RegAsm.exe.0.dr
              Source: Binary string: RegAsm.pdb4 source: order_403_img.exe, 00000000.00000002.951286994.0000000006A0D000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.1200400041.0000000000CE2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: order_403_img.exe, 00000000.00000002.937975238.0000000002B30000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpg
              Source: C:\Users\user\Desktop\order_403_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8A657 push esp; retf 0_2_00E8A665
              Source: C:\Users\user\Desktop\order_403_img.exeCode function: 0_2_00E8C943 push 980514EBh; rep ret 0_2_00E8C94D
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_00CE4289 push es; retf 5_2_00CE4294
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_00CE4469 push cs; retf 5_2_00CE449E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_00CE44A3 push es; retf 5_2_00CE44A4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CADA0 push ds; iretd 5_2_012CAEF2
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CD32E push ebx; retf 5_2_012CD331
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C8B99 push es; iretd 5_2_012C8B9A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CD5EE push ebx; retf 5_2_012CD601
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C8C29 push es; iretd 5_2_012C8C2A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C8C2B push es; iretd 5_2_012C8C32
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CAF49 push ds; iretd 5_2_012CAF4A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012CDE27 push edi; retn 0000h5_2_012CDE29
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668BAAD push 8B000003h; iretd 5_2_0668BAB4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06682879 push ebx; ret 5_2_0668287A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668345D push esi; iretd 5_2_0668345E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0668C8A7 push 8BFFFFFFh; retf 5_2_0668C8AD
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06682D31 push esp; iretd 5_2_06682D32
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06682D00 push ecx; iretd 5_2_06682D02
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06682D03 push ecx; iretd 5_2_06682D0A
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_066845B0 push eax; iretd 5_2_066845B1
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_0687532C push cs; ret 5_2_0687532F
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_068720E0 push es; ret 5_2_068720F8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06875192 push 6965AF8Ch; ret 5_2_06875199
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C90CE7 push 821678BAh; iretd 5_2_06C90CEC
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C9BA51 push eax; ret 5_2_06C9BA5D
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_06C9DBB6 push es; ret 5_2_06C9DBBC

              Source: C:\Users\user\Desktop\order_403_img.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file

              Source: C:\Users\user\Desktop\order_403_img.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpgJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\order_403_img.exeFile opened: C:\Users\user\Desktop\order_403_img.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\order_403_img.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeWindow / User API: threadDelayed 551Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4007Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1685Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 789Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exe TID: 5024Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exe TID: 920Thread sleep count: 551 > 30Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exe TID: 4412Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 744Thread sleep count: 4007 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 744Thread sleep count: 1685 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3636Thread sleep count: 789 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -59312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -57500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -55312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -54812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -54406s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -53094s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -52906s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -52688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -52406s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -52188s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -52000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -51500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -51312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3380Thread sleep time: -50624s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
              Source: RegAsm.exe, 00000005.00000002.1206834928.0000000006710000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
              Source: C:\Users\user\Desktop\order_403_img.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_012C398D KiUserExceptionDispatcher,LdrInitializeThunk,5_2_012C398D
              Source: C:\Users\user\Desktop\order_403_img.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\order_403_img.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 44E000Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 450000Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: FEA008Jump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\order_403_img.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: RegAsm.exe, 00000005.00000002.1202373052.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 00000005.00000002.1202373052.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegAsm.exe, 00000005.00000002.1202373052.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
              Source: RegAsm.exe, 00000005.00000002.1202373052.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock