Loading ...

Play interactive tourEdit tour

Analysis Report order_900000000000000.exe

Overview

General Information

Sample Name:order_900000000000000.exe
MD5:04147dc4f5fe55e54465c49d067bcb68
SHA1:94425023a2d78b0d06ec8759756fd85257cbf5b3
SHA256:f317843c047e64474a2c0a9207f70f67a4cc9298065a3611d947f186d6733fb7

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • order_900000000000000.exe (PID: 4504 cmdline: 'C:\Users\user\Desktop\order_900000000000000.exe' MD5: 04147DC4F5FE55E54465C49D067BCB68)
    • powershell.exe (PID: 2292 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 4880 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • netsh.exe (PID: 3144 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.948831394.00000000038C5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.1191974734.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.1194052263.0000000002E70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.950162522.0000000003D1D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.949586819.0000000003AD0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentImage: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentProcessId: 4880, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3144
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\order_900000000000000.exe' , ParentImage: C:\Users\user\Desktop\order_900000000000000.exe, ParentProcessId: 4504, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4880

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: order_900000000000000.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: order_900000000000000.exeVirustotal: Detection: 43%Perma Link
              Source: order_900000000000000.exeReversingLabs: Detection: 64%
              Machine Learning detection for sampleShow sources
              Source: order_900000000000000.exeJoe Sandbox ML: detected
              Source: 6.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49751 -> 185.51.202.58:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.5:49752 -> 185.51.202.58:49286
              Source: global trafficTCP traffic: 192.168.2.5:49752 -> 185.51.202.58:49286
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 185.51.202.58:21 -> 192.168.2.5:49751 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 06:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: unknownDNS traffic detected: queries for: ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000006.00000002.1194592752.000000000301B000.00000004.00000001.sdmpString found in binary or memory: http://ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000006.00000002.1194592752.000000000301B000.00000004.00000001.sdmpString found in binary or memory: http://ldGS097OIn2kJ8.com
              Source: AddInProcess32.exe, 00000006.00000002.1194592752.000000000301B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: order_900000000000000.exe, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Source: 0.2.order_900000000000000.exe.240000.0.unpack, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Source: 0.0.order_900000000000000.exe.240000.0.unpack, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: order_900000000000000.exe
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00ACEC20 CreateProcessAsUserW,0_2_00ACEC20
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00ACDEF60_2_00ACDEF6
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00AC8E470_2_00AC8E47
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00AC8E580_2_00AC8E58
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00ACDF070_2_00ACDF07
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_00B820506_2_00B82050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016410606_2_01641060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164F00A6_2_0164F00A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01645AD06_2_01645AD0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016404486_2_01640448
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01642C986_2_01642C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01647FC96_2_01647FC9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016407906_2_01640790
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016486006_2_01648600
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016441466_2_01644146
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016449506_2_01644950
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016449E46_2_016449E4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016439F56_2_016439F5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016441D46_2_016441D4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164418D6_2_0164418D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01642C986_2_01642C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164499A6_2_0164499A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016448776_2_01644877
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164482D6_2_0164482D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016440FF6_2_016440FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016448C16_2_016448C1
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644B4C6_2_01644B4C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164434B6_2_0164434B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016443046_2_01644304
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644BE06_2_01644BE0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016443D96_2_016443D9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644B966_2_01644B96
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016443926_2_01644392
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644A736_2_01644A73
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016442786_2_01644278
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164421B6_2_0164421B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644ABD6_2_01644ABD
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016445586_2_01644558
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164450E6_2_0164450E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644D086_2_01644D08
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01643D1F6_2_01643D1F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016445E76_2_016445E7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644D976_2_01644D97
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016444676_2_01644467
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644C746_2_01644C74
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016444206_2_01644420
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644C2A6_2_01644C2A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016444AE6_2_016444AE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01644CBE6_2_01644CBE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_01643F606_2_01643F60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016447546_2_01644754
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016427C86_2_016427C8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016417D86_2_016417D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016427D86_2_016427D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164479E6_2_0164479E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164467B6_2_0164467B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016446316_2_01644631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016446C56_2_016446C5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056745606_2_05674560
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056795956_2_05679595
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056716406_2_05671640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056712206_2_05671220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056752286_2_05675228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056789B06_2_056789B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056745316_2_05674531
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056756506_2_05675650
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056716316_2_05671631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056791316_2_05679131
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056711FF6_2_056711FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05678DF36_2_05678DF3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05678E6E6_2_05678E6E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_056789A06_2_056789A0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0567DA3E6_2_0567DA3E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063BF0506_2_063BF050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063BB0F06_2_063BB0F0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B58E86_2_063B58E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B79D86_2_063B79D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B45C06_2_063B45C0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B3E906_2_063B3E90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B3E806_2_063B3E80
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B73A86_2_063B73A8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B34686_2_063B3468
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B58DA6_2_063B58DA
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B6D606_2_063B6D60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063B6D506_2_063B6D50
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B3E686_2_064B3E68
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BB2386_2_064BB238
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B4AE86_2_064B4AE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BBAA06_2_064BBAA0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BC7686_2_064BC768
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BF3286_2_064BF328
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BD3E86_2_064BD3E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B30606_2_064B3060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B2D886_2_064B2D88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BE6406_2_064BE640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B3E5A6_2_064B3E5A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BEA286_2_064BEA28
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B92206_2_064B9220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BDBE86_2_064BDBE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064BCB886_2_064BCB88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B30506_2_064B3050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B2D786_2_064B2D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B45806_2_064B4580
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B45906_2_064B4590
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B103486_2_06B10348
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B100406_2_06B10040
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B128456_2_06B12845
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B103396_2_06B10339
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B100396_2_06B10039
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B1AD506_2_06B1AD50
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
              Source: order_900000000000000.exeBinary or memory string: OriginalFilename vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.948831394.00000000038C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.946802832.0000000002AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.955058932.0000000006627000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.953909760.0000000005BA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.943604019.0000000000242000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetIcon.exeL vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.945773354.00000000026C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs order_900000000000000.exe
              Source: order_900000000000000.exe, 00000000.00000002.946042001.0000000002850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs order_900000000000000.exe
              Source: order_900000000000000.exeBinary or memory string: OriginalFilenameSetIcon.exeL vs order_900000000000000.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/11@1/1
              Source: C:\Users\user\Desktop\order_900000000000000.exeFile created: C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_01
              Source: C:\Users\user\Desktop\order_900000000000000.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: order_900000000000000.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\order_900000000000000.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: order_900000000000000.exeVirustotal: Detection: 43%
              Source: order_900000000000000.exeReversingLabs: Detection: 64%
              Source: unknownProcess created: C:\Users\user\Desktop\order_900000000000000.exe 'C:\Users\user\Desktop\order_900000000000000.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: order_900000000000000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: order_900000000000000.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: order_900000000000000.exeStatic file information: File size 2459136 > 1048576
              Source: order_900000000000000.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x257c00
              Source: order_900000000000000.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: AddInProcess32.pdb source: order_900000000000000.exe, 00000000.00000002.955058932.0000000006627000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: order_900000000000000.exe, 00000000.00000002.946802832.0000000002AA9000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: order_900000000000000.exe, 00000000.00000002.946802832.0000000002AA9000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: order_900000000000000.exe, 00000000.00000002.946042001.0000000002850000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: order_900000000000000.exe, 00000000.00000002.955058932.0000000006627000.00000004.00000001.sdmp, AddInProcess32.exe, 00000006.00000000.871476715.0000000000B82000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: order_900000000000000.exe, 00000000.00000002.946042001.0000000002850000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_0024209C push ebp; iretd 0_2_0024209D
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00AC2877 push ebx; ret 0_2_00AC287A
              Source: C:\Users\user\Desktop\order_900000000000000.exeCode function: 0_2_00AC9900 pushad ; iretd 0_2_00AC9901
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164D330 push ebx; retf 6_2_0164D331
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063BBAAF push 8B000003h; iretd 6_2_063BBAB4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B532C push cs; ret 6_2_064B532F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B20E0 push es; ret 6_2_064B20F8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B6D70 push es; ret 6_2_064B6D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_064B5192 push 6965E38Ch; ret 6_2_064B5199
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B1E100 push es; ret 6_2_06B1E110
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B10CE7 push 821678BAh; iretd 6_2_06B10CEC
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06B1BA51 push eax; ret 6_2_06B1BA5D

              Source: C:\Users\user\Desktop\order_900000000000000.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\order_900000000000000.exeFile opened: C:\Users\user\Desktop\order_900000000000000.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\order_900000000000000.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exeWindow / User API: threadDelayed 391Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4314Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2752Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 789Jump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exe TID: 4384Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exe TID: 2440Thread sleep count: 391 > 30Jump to behavior
              Source: C:\Users\user\Desktop\order_900000000000000.exe TID: 4624Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep count: 4314 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2076Thread sleep count: 2752 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4684Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 612Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3588Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 2904Thread sleep count: 789 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3588Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3588Thread sleep time: -59812s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3588Thread sleep time: -59406s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0164398D KiUserExceptionDispatcher,LdrInitializeThunk,6_2_0164398D
              Source: C:\Users\user\Desktop\order_900000000000000.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior