Loading ...

Play interactive tourEdit tour

Analysis Report 8koETbbDXp

Overview

General Information

Sample Name:8koETbbDXp (renamed file extension from none to exe)
MD5:80ebba810d72a169d87bac6fa5592fda
SHA1:80441ed4ed5d6f639d003a2e8f14d48ebf14d1cc
SHA256:5f1f3bec4b73a162c6560aba5a4f0834f30a8e94d7964bd757ac1161665fea35

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 8koETbbDXp.exe (PID: 5828 cmdline: 'C:\Users\user\Desktop\8koETbbDXp.exe' MD5: 80EBBA810D72A169D87BAC6FA5592FDA)
    • powershell.exe (PID: 5400 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 5224 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • netsh.exe (PID: 2700 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1228388372.0000000003FB0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1227557567.0000000003DA5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.1466142501.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.1468678275.0000000002B90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1228871175.00000000041FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentImage: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentProcessId: 5224, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2700
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\8koETbbDXp.exe' , ParentImage: C:\Users\user\Desktop\8koETbbDXp.exe, ParentProcessId: 5828, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 5224

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 8koETbbDXp.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: 8koETbbDXp.exeVirustotal: Detection: 42%Perma Link
              Source: 8koETbbDXp.exeReversingLabs: Detection: 67%
              Machine Learning detection for sampleShow sources
              Source: 8koETbbDXp.exeJoe Sandbox ML: detected
              Source: 4.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.6:49939 -> 185.51.202.58:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.6:49940 -> 185.51.202.58:50685
              Source: global trafficTCP traffic: 192.168.2.6:49940 -> 185.51.202.58:50685
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 185.51.202.58:21 -> 192.168.2.6:49939 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:16. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: AddInProcess32.exe, 00000004.00000002.1469210897.0000000002D76000.00000004.00000001.sdmpString found in binary or memory: http://ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000004.00000002.1469210897.0000000002D76000.00000004.00000001.sdmpString found in binary or memory: http://hBqychhQnOQlMd.com
              Source: AddInProcess32.exe, 00000004.00000002.1469210897.0000000002D76000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: AddInProcess32.exe, 00000004.00000002.1468909462.0000000002C9B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 8koETbbDXp.exe, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.2.8koETbbDXp.exe.8c0000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.0.8koETbbDXp.exe.8c0000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_008B20504_2_008B2050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112F00B4_2_0112F00B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011210604_2_01121060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01128D384_2_01128D38
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011204484_2_01120448
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01122C984_2_01122C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011207904_2_01120790
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01127FD84_2_01127FD8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011249504_2_01124950
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011241464_2_01124146
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112499A4_2_0112499A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01122C984_2_01122C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112418D4_2_0112418D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011241D44_2_011241D4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011239F54_2_011239F5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011249E44_2_011249E4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112482D4_2_0112482D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011248774_2_01124877
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112409D4_2_0112409D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011248C14_2_011248C1
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011240FF4_2_011240FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011243044_2_01124304
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112434B4_2_0112434B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124B4C4_2_01124B4C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011243924_2_01124392
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124B964_2_01124B96
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011243D94_2_011243D9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124BE04_2_01124BE0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112421B4_2_0112421B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124A734_2_01124A73
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011242784_2_01124278
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124ABD4_2_01124ABD
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01123D1F4_2_01123D1F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124D084_2_01124D08
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112450E4_2_0112450E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011245584_2_01124558
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124D974_2_01124D97
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011245E74_2_011245E7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011244204_2_01124420
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124C2A4_2_01124C2A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124C744_2_01124C74
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011244674_2_01124467
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01124CBE4_2_01124CBE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011244AE4_2_011244AE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011247544_2_01124754
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_01123F604_2_01123F60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112479E4_2_0112479E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011217D84_2_011217D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011227D84_2_011227D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011227C84_2_011227C8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011246314_2_01124631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112467B4_2_0112467B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_011246C54_2_011246C5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A45604_2_053A4560
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A95954_2_053A9595
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A16404_2_053A1640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A52284_2_053A5228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A12204_2_053A1220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A89B04_2_053A89B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A45514_2_053A4551
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A16314_2_053A1631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A56504_2_053A5650
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A91314_2_053A9131
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A121E4_2_053A121E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A8DF34_2_053A8DF3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A8E6E4_2_053A8E6E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A89A04_2_053A89A0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_053A18D04_2_053A18D0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0622F2704_2_0622F270
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062234684_2_06223468
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062258E84_2_062258E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0622B0F04_2_0622B0F0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062279E84_2_062279E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062245C04_2_062245C0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06223E804_2_06223E80
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06223E904_2_06223E90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062273A84_2_062273A8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_062258DB4_2_062258DB
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06226D604_2_06226D60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06226D504_2_06226D50
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632B2384_2_0632B238
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06323E684_2_06323E68
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632BAA04_2_0632BAA0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06324AE84_2_06324AE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632F3284_2_0632F328
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632C7684_2_0632C768
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632D3E84_2_0632D3E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063230604_2_06323060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06322D884_2_06322D88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063292204_2_06329220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632EA284_2_0632EA28
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06323E5B4_2_06323E5B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632E6404_2_0632E640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632CB884_2_0632CB88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632DBE84_2_0632DBE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063230504_2_06323050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063220FA4_2_063220FA
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06322D784_2_06322D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063245904_2_06324590
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063245804_2_06324580
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068403484_2_06840348
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068400404_2_06840040
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068428474_2_06842847
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068403394_2_06840339
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068400394_2_06840039
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_068421B04_2_068421B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0684AD504_2_0684AD50
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
              Source: 8koETbbDXp.exe, 00000000.00000000.1045910545.0000000000B1C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetIcon.exeL vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1228388372.0000000003FB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1224741852.0000000003068000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exe, 00000000.00000002.1233746791.0000000006D4F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs 8koETbbDXp.exe
              Source: 8koETbbDXp.exeBinary or memory string: OriginalFilenameSetIcon.exeL vs 8koETbbDXp.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/11@1/1
              Source: C:\Users\user\Desktop\8koETbbDXp.exeFile created: C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_01
              Source: C:\Users\user\Desktop\8koETbbDXp.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: 8koETbbDXp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\8koETbbDXp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 8koETbbDXp.exeVirustotal: Detection: 42%
              Source: 8koETbbDXp.exeReversingLabs: Detection: 67%
              Source: unknownProcess created: C:\Users\user\Desktop\8koETbbDXp.exe 'C:\Users\user\Desktop\8koETbbDXp.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: 8koETbbDXp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 8koETbbDXp.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 8koETbbDXp.exeStatic file information: File size 2460672 > 1048576
              Source: 8koETbbDXp.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
              Source: 8koETbbDXp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: AddInProcess32.pdb source: 8koETbbDXp.exe, 00000000.00000002.1233746791.0000000006D4F000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: 8koETbbDXp.exe, 00000000.00000002.1233746791.0000000006D4F000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.1466296949.00000000008B2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: 8koETbbDXp.exe, 00000000.00000002.1223540764.0000000002D50000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112D5FE push ebx; retf 4_2_0112D601
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0622BAAF push 8B000003h; iretd 4_2_0622BAB4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0632532C push cs; ret 4_2_0632532F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_063220E0 push es; ret 4_2_063220F8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06325CDB push cs; ret 4_2_06325CDF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_06840CE7 push 821678BAh; iretd 4_2_06840CEC
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0684BA51 push eax; ret 4_2_0684BA5D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0684DBBB push es; ret 4_2_0684DBBC

              Source: C:\Users\user\Desktop\8koETbbDXp.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\8koETbbDXp.exeFile opened: C:\Users\user\Desktop\8koETbbDXp.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\8koETbbDXp.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeWindow / User API: threadDelayed 385Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1977Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 860Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 384Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exe TID: 3804Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exe TID: 480Thread sleep count: 385 > 30Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exe TID: 5760Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4756Thread sleep count: 1977 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4756Thread sleep count: 860 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4732Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 472Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3760Thread sleep count: 384 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 472Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4_2_0112398D KiUserExceptionDispatcher,LdrInitializeThunk,4_2_0112398D
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 44E000Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 450000Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: A7B008Jump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\8koETbbDXp.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: AddInProcess32.exe, 00000004.00000002.1468282473.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: AddInProcess32.exe, 00000004.00000002.1468282473.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: AddInProcess32.exe, 00000004.00000002.1468282473.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: AddInProcess32.exe, 00000004.00000002.1468282473.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock