Loading ...

Play interactive tourEdit tour

Analysis Report ELY4Q1XWl8.exe

Overview

General Information

Sample Name:ELY4Q1XWl8.exe
MD5:80ebba810d72a169d87bac6fa5592fda
SHA1:80441ed4ed5d6f639d003a2e8f14d48ebf14d1cc
SHA256:5f1f3bec4b73a162c6560aba5a4f0834f30a8e94d7964bd757ac1161665fea35

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ELY4Q1XWl8.exe (PID: 2532 cmdline: 'C:\Users\user\Desktop\ELY4Q1XWl8.exe' MD5: 80EBBA810D72A169D87BAC6FA5592FDA)
    • powershell.exe (PID: 4508 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 4984 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • netsh.exe (PID: 1976 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1197668059.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.1199911290.0000000003040000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.955079770.0000000003D56000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.956569578.00000000041AE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.955907459.0000000003F61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentImage: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentProcessId: 4984, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 1976
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\ELY4Q1XWl8.exe' , ParentImage: C:\Users\user\Desktop\ELY4Q1XWl8.exe, ParentProcessId: 2532, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4984

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: ELY4Q1XWl8.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: ELY4Q1XWl8.exeVirustotal: Detection: 42%Perma Link
              Source: ELY4Q1XWl8.exeReversingLabs: Detection: 67%
              Machine Learning detection for sampleShow sources
              Source: ELY4Q1XWl8.exeJoe Sandbox ML: detected
              Source: 6.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49749 -> 185.51.202.58:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.5:49750 -> 185.51.202.58:53307
              Source: global trafficTCP traffic: 192.168.2.5:49750 -> 185.51.202.58:53307
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 185.51.202.58:21 -> 192.168.2.5:49749 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:23. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:23. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: unknownDNS traffic detected: queries for: ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000006.00000002.1200654346.00000000031EC000.00000004.00000001.sdmpString found in binary or memory: http://ftp.behnazgroup.ir
              Source: AddInProcess32.exe, 00000006.00000002.1200654346.00000000031EC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AddInProcess32.exe, 00000006.00000002.1200654346.00000000031EC000.00000004.00000001.sdmpString found in binary or memory: https://17MJudQZsQTVQhHln5.net

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: ELY4Q1XWl8.exe, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.2.ELY4Q1XWl8.exe.840000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: 0.0.ELY4Q1XWl8.exe.840000.0.unpack, u0036ou0026/u0034Sa.csLarge array initialization: m^7: array initializer size 58880
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_00DA20506_2_00DA2050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B10606_2_016B1060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016BF0186_2_016BF018
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B5AD06_2_016B5AD0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B04486_2_016B0448
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B2C986_2_016B2C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B7FC96_2_016B7FC9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B07906_2_016B0790
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B86006_2_016B8600
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B41466_2_016B4146
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B49506_2_016B4950
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B49E46_2_016B49E4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B39F56_2_016B39F5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B41D46_2_016B41D4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B2C986_2_016B2C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B418D6_2_016B418D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B499A6_2_016B499A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B48776_2_016B4877
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B482D6_2_016B482D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016BF00A6_2_016BF00A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B40FF6_2_016B40FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B48C16_2_016B48C1
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016BF0916_2_016BF091
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B434B6_2_016B434B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4B4C6_2_016B4B4C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B43046_2_016B4304
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016BD3EE6_2_016BD3EE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4BE06_2_016B4BE0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B43D96_2_016B43D9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B43926_2_016B4392
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4B966_2_016B4B96
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B42786_2_016B4278
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4A736_2_016B4A73
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B421B6_2_016B421B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4ABD6_2_016B4ABD
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B45586_2_016B4558
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4D086_2_016B4D08
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B450E6_2_016B450E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B3D1F6_2_016B3D1F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B45E76_2_016B45E7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4D976_2_016B4D97
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B44676_2_016B4467
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4C746_2_016B4C74
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4C2A6_2_016B4C2A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B44206_2_016B4420
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B44AE6_2_016B44AE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B4CBE6_2_016B4CBE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B3F606_2_016B3F60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B47546_2_016B4754
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B27C86_2_016B27C8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B27D86_2_016B27D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B479E6_2_016B479E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B467B6_2_016B467B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B46316_2_016B4631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B46C56_2_016B46C5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058995B86_2_058995B8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058945606_2_05894560
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058916406_2_05891640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058952286_2_05895228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058912206_2_05891220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058989B06_2_058989B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05893A366_2_05893A36
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0589447B6_2_0589447B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058916316_2_05891631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058956506_2_05895650
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058911FF6_2_058911FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058991316_2_05899131
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05898DF36_2_05898DF3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05898E6E6_2_05898E6E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_058989A06_2_058989A0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D45C06_2_065D45C0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065DF0506_2_065DF050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065DB0F06_2_065DB0F0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D58E86_2_065D58E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D79D86_2_065D79D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D3E906_2_065D3E90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D3E806_2_065D3E80
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D34686_2_065D3468
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D6D506_2_065D6D50
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D6D606_2_065D6D60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D5D1C6_2_065D5D1C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D73A86_2_065D73A8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065D58DB6_2_065D58DB
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D3E686_2_066D3E68
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DB2386_2_066DB238
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D4AE86_2_066D4AE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DBAA06_2_066DBAA0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DC7686_2_066DC768
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DF3286_2_066DF328
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DD3E86_2_066DD3E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D30606_2_066D3060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D2D886_2_066D2D88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DE6406_2_066DE640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D3E5A6_2_066D3E5A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DEA286_2_066DEA28
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DB2286_2_066DB228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D92206_2_066D9220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DBA906_2_066DBA90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DC7586_2_066DC758
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DDBE86_2_066DDBE8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DB3A36_2_066DB3A3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DCB886_2_066DCB88
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D30506_2_066D3050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D2D786_2_066D2D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DA9766_2_066DA976
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066DB5D06_2_066DB5D0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D458D6_2_066D458D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D45906_2_066D4590
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF03486_2_06BF0348
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF00406_2_06BF0040
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF28456_2_06BF2845
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF160B6_2_06BF160B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF03396_2_06BF0339
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF00066_2_06BF0006
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFAD506_2_06BFAD50
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
              Source: ELY4Q1XWl8.exe, 00000000.00000002.962200118.0000000006CE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAd vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000003.796520606.0000000006A1B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000002.952625855.0000000003020000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000002.951419275.0000000002BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000002.952259617.0000000002F3A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000000.773698420.0000000000A9C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetIcon.exeL vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exe, 00000000.00000002.951477207.0000000002D00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs ELY4Q1XWl8.exe
              Source: ELY4Q1XWl8.exeBinary or memory string: OriginalFilenameSetIcon.exeL vs ELY4Q1XWl8.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/11@1/1
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeFile created: C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: ELY4Q1XWl8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: ELY4Q1XWl8.exeVirustotal: Detection: 42%
              Source: ELY4Q1XWl8.exeReversingLabs: Detection: 67%
              Source: unknownProcess created: C:\Users\user\Desktop\ELY4Q1XWl8.exe 'C:\Users\user\Desktop\ELY4Q1XWl8.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: ELY4Q1XWl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ELY4Q1XWl8.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: ELY4Q1XWl8.exeStatic file information: File size 2460672 > 1048576
              Source: ELY4Q1XWl8.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
              Source: ELY4Q1XWl8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: AddInProcess32.pdb source: ELY4Q1XWl8.exe, 00000000.00000002.962200118.0000000006CE0000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: ELY4Q1XWl8.exe, 00000000.00000002.952259617.0000000002F3A000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: ELY4Q1XWl8.exe, 00000000.00000002.952259617.0000000002F3A000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: ELY4Q1XWl8.exe, 00000000.00000002.951477207.0000000002D00000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdb>L source: ELY4Q1XWl8.exe, 00000000.00000002.962200118.0000000006CE0000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000006.00000000.877012348.0000000000DA2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: ELY4Q1XWl8.exe, 00000000.00000002.951477207.0000000002D00000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeCode function: 0_2_05ED0988 push 8BF88B67h; iretd 0_2_05ED0993
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016BDE27 push edi; retn 0000h6_2_016BDE29
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_065DBAAD push 8B000003h; iretd 6_2_065DBAB4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D532C push cs; ret 6_2_066D532F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D20E0 push es; ret 6_2_066D20F8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D6D70 push es; ret 6_2_066D6D78
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_066D5192 push 6965C18Ch; ret 6_2_066D5199
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF60D4 push edi; retn 0006h6_2_06BFB412
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFA60B push ecx; retn 0006h6_2_06BFA61A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFA601 push eax; retn 0006h6_2_06BFA602
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFA412 push eax; retn 0006h6_2_06BFA41A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFA47B push eax; retn 0006h6_2_06BFA492
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFA509 push eax; retn 0006h6_2_06BFA50A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFC218 pushad ; retn 0006h6_2_06BFC219
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFC340 pushfd ; retn 0006h6_2_06BFC589
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFE108 push es; ret 6_2_06BFE110
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFAF38 push ebx; retn 0006h6_2_06BFAF3A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BF0CE7 push 821678BAh; iretd 6_2_06BF0CEC
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06BFB441 push edi; retn 0006h6_2_06BFB442

              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeFile opened: C:\Users\user\Desktop\ELY4Q1XWl8.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeWindow / User API: threadDelayed 382Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3644Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1553Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 595Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exe TID: 3488Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exe TID: 3044Thread sleep count: 382 > 30Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exe TID: 4360Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4216Thread sleep count: 3644 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4216Thread sleep count: 1553 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5092Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3360Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 4636Thread sleep count: 595 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3360Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3360Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_016B398D KiUserExceptionDispatcher,LdrInitializeThunk,6_2_016B398D
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\ELY4Q1XWl8.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop