Loading ...

Play interactive tourEdit tour

Analysis Report PO-2008520096 PR 11662526_xlsm.exe

Overview

General Information

Sample Name:PO-2008520096 PR 11662526_xlsm.exe
MD5:062cbdf61004886a7658c255c7156559
SHA1:f312ce265ebff4f22c8d4781efda234e1d7be5fd
SHA256:c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO-2008520096 PR 11662526_xlsm.exe (PID: 5036 cmdline: 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe' MD5: 062CBDF61004886A7658C255C7156559)
    • cmd.exe (PID: 5184 cmdline: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5372 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • Intellx.exe (PID: 5328 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: 062CBDF61004886A7658C255C7156559)
  • pcalua.exe (PID: 5320 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
  • pcalua.exe (PID: 5704 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
    • Intellx.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: 062CBDF61004886A7658C255C7156559)
      • AddInProcess32.exe (PID: 3592 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A0lOBkyWN", "URL: ": "https://hhxQdfHsw4kq2F8zKk9.org", "To: ": "samyurch@yandex.ru", "ByHost: ": "smtp.yandex.ru:5878", "Password: ": "VmAGdefZ0aY7tB", "From: ": "samyurch@yandex.ru"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PO-2008520096 PR 11662526_xlsm.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    .textJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000007.00000003.961336300.000000000B7C6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.871353572.000000000BA95000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000003.774340883.000000000BA51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000003.774492397.000000000BA55000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                00000000.00000003.871476153.000000000BA9C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 36 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  14.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      0.0.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        7.2.Intellx.exe.c90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                          13.2.Intellx.exe.920000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                            Click to see the 2 entries

                            Sigma Overview


                            System Summary:

                            barindex
                            Sigma detected: Add file from suspicious location to autostart registryShow sources
                            Source: Process startedAuthor: Joe Security: Data: Command: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', CommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe' , ParentImage: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe, ParentProcessId: 5036, ProcessCommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', ProcessId: 5184
                            Sigma detected: Suspicious Process CreationShow sources
                            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe, ParentProcessId: 5848, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 3592

                            Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Found malware configurationShow sources
                            Source: AddInProcess32.exe.3592.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0A0lOBkyWN", "URL: ": "https://hhxQdfHsw4kq2F8zKk9.org", "To: ": "samyurch@yandex.ru", "ByHost: ": "smtp.yandex.ru:5878", "Password: ": "VmAGdefZ0aY7tB", "From: ": "samyurch@yandex.ru"}
                            Multi AV Scanner detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeVirustotal: Detection: 29%Perma Link
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeMetadefender: Detection: 18%Perma Link
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeReversingLabs: Detection: 61%
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exeVirustotal: Detection: 29%Perma Link
                            Source: PO-2008520096 PR 11662526_xlsm.exeMetadefender: Detection: 18%Perma Link
                            Source: PO-2008520096 PR 11662526_xlsm.exeReversingLabs: Detection: 61%
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exeJoe Sandbox ML: detected
                            Source: 14.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior

                            Source: global trafficTCP traffic: 192.168.2.5:49738 -> 77.88.21.158:587
                            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                            Source: global trafficTCP traffic: 192.168.2.5:49738 -> 77.88.21.158:587
                            Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                            Source: Intellx.exeString found in binary or memory: http://schemas.microso
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.=:7
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                            Source: AddInProcess32.exe, 0000000E.00000002.1191006674.0000000002850000.00000004.00000001.sdmpString found in binary or memory: https://hhxQdfHsw4kq2F8zKk9.org
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874067287.0000000001560000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                            System Summary:

                            barindex
                            .NET source code contains very large array initializationsShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exe, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: Intellx.exe.0.dr, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 0.0.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 0.2.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 7.2.Intellx.exe.c90000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 7.0.Intellx.exe.c90000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 13.0.Intellx.exe.920000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 13.2.Intellx.exe.920000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015379890_2_01537989
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015397D00_2_015397D0
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01531B800_2_01531B80
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015371410_2_01537141
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015375620_2_01537562
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015375210_2_01537521
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536DF60_2_01536DF6
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015375970_2_01537597
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536D820_2_01536D82
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015371AF0_2_015371AF
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015370400_2_01537040
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015378740_2_01537874
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015364170_2_01536417
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153741F0_2_0153741F
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015378200_2_01537820
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015370E20_2_015370E2
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015370840_2_01537084
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015374AE0_2_015374AE
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153774C0_2_0153774C
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01531B700_2_01531B70
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536F270_2_01536F27
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015373250_2_01537325
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536FA20_2_01536FA2
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015373AD0_2_015373AD
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015376550_2_01537655
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536E5A0_2_01536E5A
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537A790_2_01537A79
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153726B0_2_0153726B
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153720D0_2_0153720D
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015376250_2_01537625
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536EB80_2_01536EB8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E20E013_2_012E20E0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E1B8013_2_012E1B80
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7A8813_2_012E7A88
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E9C2213_2_012E9C22
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E97D013_2_012E97D0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E714113_2_012E7141
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E71AF13_2_012E71AF
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E798913_2_012E7989
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E782013_2_012E7820
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E787413_2_012E7874
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E704013_2_012E7040
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E708413_2_012E7084
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E70E213_2_012E70E2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E732513_2_012E7325
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E1B7013_2_012E1B70
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E73AD13_2_012E73AD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E720D13_2_012E720D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E726B13_2_012E726B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7A7913_2_012E7A79
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E752113_2_012E7521
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E756213_2_012E7562
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6D8213_2_012E6D82
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E759713_2_012E7597
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6DF613_2_012E6DF6
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E741F13_2_012E741F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E641713_2_012E6417
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E74AE13_2_012E74AE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6F2713_2_012E6F27
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E774C13_2_012E774C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6FA213_2_012E6FA2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E762513_2_012E7625
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6E5A13_2_012E6E5A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E765513_2_012E7655
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6EB813_2_012E6EB8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_0059205014_2_00592050
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_0271FB3014_2_0271FB30
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_0271FB2114_2_0271FB21
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D324E314_2_04D324E3
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3E6E814_2_04D3E6E8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3004014_2_04D30040
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D381A814_2_04D381A8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D373C014_2_04D373C0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3C3E814_2_04D3C3E8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3F30014_2_04D3F300
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D33C8814_2_04D33C88
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D32FC014_2_04D32FC0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3EA3014_2_04D3EA30
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3779714_2_04D37797
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D340B014_2_04D340B0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3003F14_2_04D3003F
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3819814_2_04D38198
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3C3D614_2_04D3C3D6
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D373B014_2_04D373B0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D32ED114_2_04D32ED1
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3781614_2_04D37816
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD350A14_2_05CD350A
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDEE2114_2_05CDEE21
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD59D914_2_05CD59D9
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDE96814_2_05CDE968
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD08F014_2_05CD08F0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD600014_2_05CD6000
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD254C14_2_05CD254C
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD08F014_2_05CD08F0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD170E14_2_05CD170E
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD262514_2_05CD2625
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD219414_2_05CD2194
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD23DF14_2_05CD23DF
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDB3D814_2_05CDB3D8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05E98AB814_2_05E98AB8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05E93A5014_2_05E93A50
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: OriginalFilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: ProductVersiOriginalFilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.889236583.000000000C3B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886567456.00000000057D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886567456.00000000057D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000003.871869060.000000000B9D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezDpxqqeGXYaQWkMwBNmrMolfqRIFCRwvfu.exe4 vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelelea.exe, vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: ProductVersiOriginalFilenamezDpxqqeGXYaQWkMwBNmFCRwvfu.exe( vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: 9lHOriginalFilenamezDpxqqeGXYaQWkMwBNm vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886073611.00000000056D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000003.840783901.000000000BC65000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyoop.exe@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874067287.0000000001560000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: ProductVersiOriginalFilenamezDpxqqeGXYaQWkMwBNmFCRwvfu.exe( vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: OriginalFilenameyoop.exe@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: pcalua.exe, 00000005.00000002.828433835.0000016549A30000.00000004.00000020.sdmpBinary or memory string: ;.VBp
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/4@1/1
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-2008520096 PR 11662526_xlsm.exe.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: PO-2008520096 PR 11662526_xlsm.exeVirustotal: Detection: 29%
                            Source: PO-2008520096 PR 11662526_xlsm.exeMetadefender: Detection: 18%
                            Source: PO-2008520096 PR 11662526_xlsm.exeReversingLabs: Detection: 61%
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile read: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe'
                            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe
                            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'Jump to behavior
                            Source: C:\Windows\System32\pcalua.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
                            Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmp
                            Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmp
                            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000E.00000002.1189336854.0000000000592000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2CCD4 push ss; retf 0_2_00D2CD64
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D308C3 push es; retf 0_2_00D308C4
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C9B7 pushfd ; retf 0_2_00D2C9C8
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2B5BC push cs; ret 0_2_00D2B5D7
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2FD4D push cs; iretd 0_2_00D2FDD0
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2BE17 push edi; iretd 0_2_00D2BE33
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C617 push ecx; iretd 0_2_00D2C61D
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2FE03 push cs; iretd 0_2_00D2FE04
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C30B push ecx; ret 0_2_00D2C30C
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153940D push eax; retf 0_2_0153940E
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01538C27 push eax; retf 0_2_01538C28
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537F03 push eax; retf 0_2_01537F04
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00CA08C3 push es; retf 7_2_00CA08C4
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9CCD4 push ss; retf 7_2_00C9CD64
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9B5BC push cs; ret 7_2_00C9B5D7
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C9B7 pushfd ; retf 7_2_00C9C9C8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9FD4D push cs; iretd 7_2_00C9FDD0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C30B push ecx; ret 7_2_00C9C30C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9FE03 push cs; iretd 7_2_00C9FE04
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C617 push ecx; iretd 7_2_00C9C61D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9BE17 push edi; iretd 7_2_00C9BE33
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C9B7 pushfd ; retf 13_2_0092C9C8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092B5BC push cs; ret 13_2_0092B5D7
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092CCD4 push ss; retf 13_2_0092CD64
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_009308C3 push es; retf 13_2_009308C4
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092BE17 push edi; iretd 13_2_0092BE33
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C617 push ecx; iretd 13_2_0092C61D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092FE03 push cs; iretd 13_2_0092FE04
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C30B push ecx; ret 13_2_0092C30C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092FD4D push cs; iretd 13_2_0092FDD0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012EADE0 push eax; retf 13_2_012EADE1

                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

                            Boot Survival:

                            barindex
                            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior

                            Hooking and other Techniques for Hiding and Protection:

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile opened: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PO-20085<