Loading ...

Play interactive tourEdit tour

Analysis Report x9VdO4ELtL

Overview

General Information

Sample Name:x9VdO4ELtL (renamed file extension from none to exe)
MD5:04147dc4f5fe55e54465c49d067bcb68
SHA1:94425023a2d78b0d06ec8759756fd85257cbf5b3
SHA256:f317843c047e64474a2c0a9207f70f67a4cc9298065a3611d947f186d6733fb7

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • x9VdO4ELtL.exe (PID: 4488 cmdline: 'C:\Users\user\Desktop\x9VdO4ELtL.exe' MD5: 04147DC4F5FE55E54465C49D067BCB68)
    • powershell.exe (PID: 2620 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 4772 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • netsh.exe (PID: 5028 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1193920797.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.952683357.00000000044DE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.951175422.0000000004086000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.952085267.0000000004291000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.1195579663.00000000032C0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentImage: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentProcessId: 4772, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 5028
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\x9VdO4ELtL.exe' , ParentImage: C:\Users\user\Desktop\x9VdO4ELtL.exe, ParentProcessId: 4488, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4772

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: x9VdO4ELtL.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: x9VdO4ELtL.exeVirustotal: Detection: 43%Perma Link
              Source: x9VdO4ELtL.exeReversingLabs: Detection: 64%
              Machine Learning detection for sampleShow sources
              Source: x9VdO4ELtL.exeJoe Sandbox ML: detected
              Source: 5.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: x9VdO4ELtL.exe, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Source: 0.0.x9VdO4ELtL.exe.a60000.0.unpack, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Source: 0.2.x9VdO4ELtL.exe.a60000.0.unpack, u0039xu0023/tu00259.csLarge array initialization: 7Yt: array initializer size 58880
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00FF20505_2_00FF2050
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017210605_2_01721060
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017204485_2_01720448
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01722C985_2_01722C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01727FC95_2_01727FC9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017286005_2_01728600
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017249505_2_01724950
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017241465_2_01724146
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017239F55_2_017239F5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017249E45_2_017249E4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017241D45_2_017241D4
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172499A5_2_0172499A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01722C985_2_01722C98
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172418D5_2_0172418D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017248775_2_01724877
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172482D5_2_0172482D
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017240FF5_2_017240FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017248C15_2_017248C1
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172434B5_2_0172434B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724B4C5_2_01724B4C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172731C5_2_0172731C
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017243045_2_01724304
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724BE05_2_01724BE0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017243D95_2_017243D9
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017243925_2_01724392
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724B965_2_01724B96
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724A735_2_01724A73
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017242785_2_01724278
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172421B5_2_0172421B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724ABD5_2_01724ABD
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017245585_2_01724558
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01723D1F5_2_01723D1F
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724D085_2_01724D08
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172450E5_2_0172450E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017245E75_2_017245E7
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724D975_2_01724D97
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724C745_2_01724C74
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017244675_2_01724467
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017244205_2_01724420
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724C2A5_2_01724C2A
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01724CBE5_2_01724CBE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017244AE5_2_017244AE
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01723F605_2_01723F60
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017247545_2_01724754
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017227D85_2_017227D8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017227C85_2_017227C8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017207905_2_01720790
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172479E5_2_0172479E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172467B5_2_0172467B
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017246315_2_01724631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_017246C55_2_017246C5
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE95955_2_05AE9595
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE45605_2_05AE4560
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE16405_2_05AE1640
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE52285_2_05AE5228
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE12205_2_05AE1220
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE89B05_2_05AE89B0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE45135_2_05AE4513
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE16315_2_05AE1631
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE56505_2_05AE5650
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE11FF5_2_05AE11FF
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE91315_2_05AE9131
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE8DF35_2_05AE8DF3
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE8E6E5_2_05AE8E6E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AE89A05_2_05AE89A0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_05AEDA3E5_2_05AEDA3E
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_069658E85_2_069658E8
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_069645C05_2_069645C0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06963E905_2_06963E90
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06963E805_2_06963E80
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_069658DA5_2_069658DA
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_069634685_2_06963468
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_06965D185_2_06965D18
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
              Source: x9VdO4ELtL.exeBinary or memory string: OriginalFilename vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000000.769851539.0000000000A62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetIcon.exeL vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000003.798341836.0000000006620000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVRoTkhAbAWTxOhFfGnMWQgqmvYdPrulaHQEGE.exe4 vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000002.946836823.0000000003030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesefresf.dllT vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000002.946836823.0000000003030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000002.948924094.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exe, 00000000.00000002.948372027.0000000003269000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs x9VdO4ELtL.exe
              Source: x9VdO4ELtL.exeBinary or memory string: OriginalFilenameSetIcon.exeL vs x9VdO4ELtL.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/8@0/0
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeFile created: C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_01
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: x9VdO4ELtL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: x9VdO4ELtL.exeVirustotal: Detection: 43%
              Source: x9VdO4ELtL.exeReversingLabs: Detection: 64%
              Source: unknownProcess created: C:\Users\user\Desktop\x9VdO4ELtL.exe 'C:\Users\user\Desktop\x9VdO4ELtL.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: x9VdO4ELtL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: x9VdO4ELtL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: x9VdO4ELtL.exeStatic file information: File size 2459136 > 1048576
              Source: x9VdO4ELtL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x257c00
              Source: x9VdO4ELtL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: x9VdO4ELtL.exe, 00000000.00000002.948372027.0000000003269000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: x9VdO4ELtL.exe, 00000000.00000002.948372027.0000000003269000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: x9VdO4ELtL.exe, 00000000.00000002.946836823.0000000003030000.00000004.00000001.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000005.00000002.1194038212.0000000000FF2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: x9VdO4ELtL.exe, 00000000.00000002.946836823.0000000003030000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpg
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeCode function: 0_2_00A6209C push ebp; iretd 0_2_00A6209D
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeCode function: 0_2_061002DF push es; ret 0_2_061002F0
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeCode function: 0_2_061005E0 push es; ret 0_2_061005F0
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172D330 push ebx; retf 5_2_0172D331
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172D5F0 push ebx; retf 5_2_0172D601

              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeFile opened: C:\Users\user\Desktop\x9VdO4ELtL.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeWindow / User API: threadDelayed 539Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3635Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1775Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 586Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exe TID: 312Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exe TID: 4848Thread sleep count: 43 > 30Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exe TID: 4848Thread sleep count: 539 > 30Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exe TID: 4356Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4784Thread sleep count: 3635 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 1775 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 624Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 184Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 328Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1340Thread sleep count: 586 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 328Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 328Thread sleep time: -59814s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0172398D KiUserExceptionDispatcher,LdrInitializeThunk,5_2_0172398D
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 44E000Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 450000Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 100B008Jump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Process C:\Users\user\Desktop\0_order1.jpgJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: AddInProcess32.exe, 00000005.00000002.1195237573.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: AddInProcess32.exe, 00000005.00000002.1195237573.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: AddInProcess32.exe, 00000005.00000002.1195237573.0000000001D30000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
              Source: AddInProcess32.exe, 00000005.00000002.1195237573.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeQueries volume information: C:\Users\user\Desktop\x9VdO4ELtL.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01721FF8 GetUserNameW,5_2_01721FF8
              Source: C:\Users\user\Desktop\x9VdO4ELtL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000005.00000002.1193920797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.952683357.00000000044DE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.951175422.0000000004086000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.952085267.0000000004291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1195579663.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4772, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x9VdO4ELtL.exe PID: 4488, type: MEMORY
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000005.00000002.1193920797.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.952683357.00000000044DE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.951175422.0000000004086000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.952085267.0000000004291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.1195579663.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4772, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x9VdO4ELtL.exe PID: 4488, type: MEMORY
              Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Hidden Files and Directories1Process Injection312Masquerading1Credential Dumping1Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaPowerShell1Port MonitorsAccessibility FeaturesHidden Files and Directories1Credentials in Registry1Process Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools11Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection312Brute ForceSecurity Software Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information1Two-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery113Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.