Loading ...

Play interactive tourEdit tour

Analysis Report PO-2008520096 PR 11662526_xlsm.exe

Overview

General Information

Sample Name:PO-2008520096 PR 11662526_xlsm.exe
MD5:062cbdf61004886a7658c255c7156559
SHA1:f312ce265ebff4f22c8d4781efda234e1d7be5fd
SHA256:c35b432e7065752be444cf5822063e979c7021997a7a8f963b33f8a3f4d5b318

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO-2008520096 PR 11662526_xlsm.exe (PID: 5036 cmdline: 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe' MD5: 062CBDF61004886A7658C255C7156559)
    • cmd.exe (PID: 5184 cmdline: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5372 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • Intellx.exe (PID: 5328 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: 062CBDF61004886A7658C255C7156559)
  • pcalua.exe (PID: 5320 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
  • pcalua.exe (PID: 5704 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe MD5: CEB78417C510515FDE2B7AAED78063B4)
    • Intellx.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' MD5: 062CBDF61004886A7658C255C7156559)
      • AddInProcess32.exe (PID: 3592 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A0lOBkyWN", "URL: ": "https://hhxQdfHsw4kq2F8zKk9.org", "To: ": "samyurch@yandex.ru", "ByHost: ": "smtp.yandex.ru:5878", "Password: ": "VmAGdefZ0aY7tB", "From: ": "samyurch@yandex.ru"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PO-2008520096 PR 11662526_xlsm.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    .textJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000007.00000003.961336300.000000000B7C6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.871353572.000000000BA95000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000003.774340883.000000000BA51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000003.774492397.000000000BA55000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                00000000.00000003.871476153.000000000BA9C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 36 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  14.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      0.0.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        7.2.Intellx.exe.c90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                          13.2.Intellx.exe.920000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                            Click to see the 2 entries

                            Sigma Overview


                            System Summary:

                            barindex
                            Sigma detected: Add file from suspicious location to autostart registryShow sources
                            Source: Process startedAuthor: Joe Security: Data: Command: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', CommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe' , ParentImage: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe, ParentProcessId: 5036, ProcessCommandLine: 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe', ProcessId: 5184
                            Sigma detected: Suspicious Process CreationShow sources
                            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe' , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe, ParentProcessId: 5848, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 3592

                            Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Found malware configurationShow sources
                            Source: AddInProcess32.exe.3592.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0A0lOBkyWN", "URL: ": "https://hhxQdfHsw4kq2F8zKk9.org", "To: ": "samyurch@yandex.ru", "ByHost: ": "smtp.yandex.ru:5878", "Password: ": "VmAGdefZ0aY7tB", "From: ": "samyurch@yandex.ru"}
                            Multi AV Scanner detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeVirustotal: Detection: 29%Perma Link
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeMetadefender: Detection: 18%Perma Link
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeReversingLabs: Detection: 61%
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exeVirustotal: Detection: 29%Perma Link
                            Source: PO-2008520096 PR 11662526_xlsm.exeMetadefender: Detection: 18%Perma Link
                            Source: PO-2008520096 PR 11662526_xlsm.exeReversingLabs: Detection: 61%
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exeJoe Sandbox ML: detected
                            Source: 14.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\pcalua.exeFile opened: C:\Users\user\AppData\Roaming

                            Source: global trafficTCP traffic: 192.168.2.5:49738 -> 77.88.21.158:587
                            Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                            Source: global trafficTCP traffic: 192.168.2.5:49738 -> 77.88.21.158:587
                            Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                            Source: Intellx.exeString found in binary or memory: http://schemas.microso
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.=:7
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                            Source: AddInProcess32.exe, 0000000E.00000002.1191006674.0000000002850000.00000004.00000001.sdmpString found in binary or memory: https://hhxQdfHsw4kq2F8zKk9.org
                            Source: AddInProcess32.exe, 0000000E.00000002.1194911321.0000000005F60000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874067287.0000000001560000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                            System Summary:

                            barindex
                            .NET source code contains very large array initializationsShow sources
                            Source: PO-2008520096 PR 11662526_xlsm.exe, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: Intellx.exe.0.dr, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 0.0.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 0.2.PO-2008520096 PR 11662526_xlsm.exe.d20000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 7.2.Intellx.exe.c90000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 7.0.Intellx.exe.c90000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 13.0.Intellx.exe.920000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: 13.2.Intellx.exe.920000.0.unpack, xQu002f/u003cModuleu003e.csLarge array initialization: 7Gz: array initializer size 11136
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537989
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015397D0
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01531B80
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537141
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537562
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537521
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536DF6
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537597
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536D82
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015371AF
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537040
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537874
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536417
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153741F
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537820
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015370E2
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537084
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015374AE
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153774C
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01531B70
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536F27
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537325
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536FA2
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_015373AD
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537655
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536E5A
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537A79
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153726B
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153720D
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537625
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01536EB8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E20E0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E1B80
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7A88
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E9C22
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E97D0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7141
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E71AF
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7989
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7820
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7874
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7040
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7084
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E70E2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7325
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E1B70
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E73AD
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E720D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E726B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7A79
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7521
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7562
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6D82
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7597
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6DF6
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E741F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6417
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E74AE
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6F27
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E774C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6FA2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7625
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6E5A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E7655
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012E6EB8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_00592050
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_0271FB30
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_0271FB21
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D324E3
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3E6E8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D30040
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D381A8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D373C0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3C3E8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3F300
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D33C88
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D32FC0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3EA30
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D37797
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D340B0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3003F
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D38198
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D3C3D6
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D373B0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D32ED1
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_04D37816
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD350A
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDEE21
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD59D9
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDE968
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD08F0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD6000
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD254C
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD08F0
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD170E
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD2625
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD2194
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CD23DF
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05CDB3D8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05E98AB8
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 14_2_05E93A50
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: OriginalFilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: ProductVersiOriginalFilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.889236583.000000000C3B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekilo.dll4 vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886567456.00000000057D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886567456.00000000057D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000003.871869060.000000000B9D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezDpxqqeGXYaQWkMwBNmrMolfqRIFCRwvfu.exe4 vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelelea.exe, vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: ProductVersiOriginalFilenamezDpxqqeGXYaQWkMwBNmFCRwvfu.exe( vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874775141.0000000003010000.00000004.00000001.sdmpBinary or memory string: 9lHOriginalFilenamezDpxqqeGXYaQWkMwBNm vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.886073611.00000000056D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000003.840783901.000000000BC65000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyoop.exe@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.874067287.0000000001560000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: ProductVersiOriginalFilenamezDpxqqeGXYaQWkMwBNmFCRwvfu.exe( vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: PO-2008520096 PR 11662526_xlsm.exeBinary or memory string: OriginalFilenameyoop.exe@ vs PO-2008520096 PR 11662526_xlsm.exe
                            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: pcalua.exe, 00000005.00000002.828433835.0000016549A30000.00000004.00000020.sdmpBinary or memory string: ;.VBp
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/4@1/1
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-2008520096 PR 11662526_xlsm.exe.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: PO-2008520096 PR 11662526_xlsm.exeVirustotal: Detection: 29%
                            Source: PO-2008520096 PR 11662526_xlsm.exeMetadefender: Detection: 18%
                            Source: PO-2008520096 PR 11662526_xlsm.exeReversingLabs: Detection: 61%
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile read: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe 'C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe'
                            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe
                            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Intel /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: C:\Windows\System32\pcalua.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe'
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: PO-2008520096 PR 11662526_xlsm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
                            Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmp
                            Source: Binary string: C:\Users\Switch\source\repos\stub\CopyEx\OchiiMei\OchiiMei\obj\Release\kilo.pdb4*N* @*_CorDllMainmscoree.dll source: PO-2008520096 PR 11662526_xlsm.exe, 00000000.00000002.884353517.0000000005090000.00000004.00000001.sdmp
                            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000E.00000002.1189336854.0000000000592000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2CCD4 push ss; retf
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D308C3 push es; retf
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C9B7 pushfd ; retf
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2B5BC push cs; ret
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2FD4D push cs; iretd
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2BE17 push edi; iretd
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C617 push ecx; iretd
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2FE03 push cs; iretd
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_00D2C30B push ecx; ret
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_0153940D push eax; retf
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01538C27 push eax; retf
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeCode function: 0_2_01537F03 push eax; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00CA08C3 push es; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9CCD4 push ss; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9B5BC push cs; ret
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C9B7 pushfd ; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9FD4D push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C30B push ecx; ret
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9FE03 push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9C617 push ecx; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 7_2_00C9BE17 push edi; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C9B7 pushfd ; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092B5BC push cs; ret
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092CCD4 push ss; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_009308C3 push es; retf
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092BE17 push edi; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C617 push ecx; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092FE03 push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092C30B push ecx; ret
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_0092FD4D push cs; iretd
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeCode function: 13_2_012EADE0 push eax; retf

                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

                            Boot Survival:

                            barindex
                            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IntelJump to behavior

                            Hooking and other Techniques for Hiding and Protection:

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeFile opened: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exe:Zone.Identifier read attributes | delete
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe:Zone.Identifier read attributes | delete
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exe:Zone.Identifier read attributes | delete
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\PO-2008520096 PR 11662526_xlsm.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Intellx.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\u