Windows Analysis Report 1iO53raUh69l6nV.exe

Yara detected Generic Downloader

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Networking

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 208.91.199.224 208.91.199.224

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2472852502.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs

Long String: Length: 127053

Detected potential crypto function

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_0230DC74	1_2_0230DC74
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32030	1_2_04F32030
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32020	1_2_04F32020
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341E8	1_2_04F341E8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341D9	1_2_04F341D9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302E0	1_2_04F302E0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302D1	1_2_04F302D1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32EE8	1_2_04F32EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32ED9	1_2_04F32ED9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33491	1_2_04F33491
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39768	1_2_04F39768
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39758	1_2_04F39758
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F310A0	1_2_04F310A0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31190	1_2_04F31190
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35150	1_2_04F35150
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35141	1_2_04F35141
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B288	1_2_04F3B288
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B278	1_2_04F3B278
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33258	1_2_04F33258
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33248	1_2_04F33248
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33ED0	1_2_04F33ED0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33EC0	1_2_04F33EC0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31E39	1_2_04F31E39
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31AB1	1_2_04F31AB1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_090639C8	1_2_090639C8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09064808	1_2_09064808
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062311	1_2_09062311
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062320	1_2_09062320
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09068BF8	1_2_09068BF8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09063E00	1_2_09063E00
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09061EE8	1_2_09061EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEDB57	2_2_00CEDB57
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEA068	2_2_00CEA068
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEBB58	2_2_00CEBB58
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02834A98	2_2_02834A98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839BF2	2_2_02839BF2
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02833E80	2_2_02833E80
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_0283CE98	2_2_0283CE98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_028341C8	2_2_028341C8

Sample file is different than original file name gathered from version info

Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1240206329.0000000007FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1235745210.0000000002703000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000000.1221429388.00000000000E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1238927547.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470990729.00000000007E9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/4

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1iO53raUh69l6nV.exe.log

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Mutant created: NULL

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1iO53raUh69l6nV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1iO53raUh69l6nV.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\Desktop\1iO53raUh69l6nV.exe:Zone.Identifier

Source: unknown	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Data Obfuscation

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs	.Net Code: InitializeComponent
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: 1iO53raUh69l6nV.exe

Static PE information: 0x9A6EEF3E [Wed Feb 7 23:31:10 2052 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BE7 pushad ; retf	1_2_04F30BE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BDD pushad ; retf	1_2_04F30BDE
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE4CB0 pushfd ; iretd	2_2_00CE4CB9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12D0 push ecx; iretd	2_2_00CE12DA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12BF push ecx; iretd	2_2_00CE12CA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839B40 push eax; retf 02A0h	2_2_02839BF1

Source: 1iO53raUh69l6nV.exe

Static PE information: section name: .text entropy: 7.246440036496841

Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 57A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 67A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 68D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 9090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: A090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 1848			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 8011			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 1848 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 8011 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94608s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98780	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97012	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96900	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96030	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95155	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94608	Jump to behavior

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2471164684.0000000000C34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory written: C:\Users\user\Desktop\1iO53raUh69l6nV.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Found malware configuration

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.225	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.224	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false

Contacted Domains

Name	IP	Active
us2.smtp.mailhostbox.com	208.91.199.224	true

AV Detection

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "jb@hargeisawateragancy.com", "Password": "cVRkXnN1"}

Multi AV Scanner detection for submitted file

Source: 1iO53raUh69l6nV.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: 1iO53raUh69l6nV.exe

Joe Sandbox ML: detected

Yara detected Generic Downloader

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Networking

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 208.91.199.224 208.91.199.224

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.10:49704 -> 208.91.199.223:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2472852502.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, cPKWk.cs	.Net Code: PWYyNOa

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, LoginForm.cs

Large array initialization: : array initializer size 33603

.NET source code contains very large strings

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs

Long String: Length: 127053

Detected potential crypto function

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_0230DC74	1_2_0230DC74
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32030	1_2_04F32030
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32020	1_2_04F32020
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341E8	1_2_04F341E8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F341D9	1_2_04F341D9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302E0	1_2_04F302E0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F302D1	1_2_04F302D1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32EE8	1_2_04F32EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F32ED9	1_2_04F32ED9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33491	1_2_04F33491
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39768	1_2_04F39768
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F39758	1_2_04F39758
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F310A0	1_2_04F310A0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31190	1_2_04F31190
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35150	1_2_04F35150
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F35141	1_2_04F35141
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B288	1_2_04F3B288
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F3B278	1_2_04F3B278
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33258	1_2_04F33258
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33248	1_2_04F33248
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33ED0	1_2_04F33ED0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F33EC0	1_2_04F33EC0
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31E39	1_2_04F31E39
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F31AB1	1_2_04F31AB1
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_090639C8	1_2_090639C8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09064808	1_2_09064808
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062311	1_2_09062311
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09062320	1_2_09062320
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09068BF8	1_2_09068BF8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09063E00	1_2_09063E00
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_09061EE8	1_2_09061EE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEDB57	2_2_00CEDB57
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEA068	2_2_00CEA068
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CEBB58	2_2_00CEBB58
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02834A98	2_2_02834A98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839BF2	2_2_02839BF2
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02833E80	2_2_02833E80
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_0283CE98	2_2_0283CE98
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_028341C8	2_2_028341C8

Sample file is different than original file name gathered from version info

Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1240206329.0000000007FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1235745210.0000000002703000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000000.1221429388.00000000000E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000001.00000002.1238927547.0000000004B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470990729.00000000007E9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2470688902.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename30e7bd5c-bf01-43c1-b417-4b8cd9ce37cc.exe4 vs 1iO53raUh69l6nV.exe
Source: 1iO53raUh69l6nV.exe	Binary or memory string: OriginalFilenameRZSu.exe: vs 1iO53raUh69l6nV.exe

Source: 1iO53raUh69l6nV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.SetAccessControl
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	Security API names: _0020.AddAccessRule
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/4

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1iO53raUh69l6nV.exe.log

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Mutant created: NULL

Source: 1iO53raUh69l6nV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1iO53raUh69l6nV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1iO53raUh69l6nV.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File read: C:\Users\user\Desktop\1iO53raUh69l6nV.exe:Zone.Identifier

Source: unknown	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1iO53raUh69l6nV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 1iO53raUh69l6nV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RZSu.pdb source: 1iO53raUh69l6nV.exe
Source:	Binary string: RZSu.pdbSHA256 source: 1iO53raUh69l6nV.exe

Data Obfuscation

Source: 1iO53raUh69l6nV.exe, Frm_Initialize.cs	.Net Code: InitializeComponent
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4b70000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	.Net Code: OfqWjVrG5E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: 1iO53raUh69l6nV.exe

Static PE information: 0x9A6EEF3E [Wed Feb 7 23:31:10 2052 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BE7 pushad ; retf	1_2_04F30BE8
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 1_2_04F30BDD pushad ; retf	1_2_04F30BDE
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE4CB0 pushfd ; iretd	2_2_00CE4CB9
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12D0 push ecx; iretd	2_2_00CE12DA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_00CE12BF push ecx; iretd	2_2_00CE12CA
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Code function: 2_2_02839B40 push eax; retf 02A0h	2_2_02839BF1

Source: 1iO53raUh69l6nV.exe

Static PE information: section name: .text entropy: 7.246440036496841

Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.7fd0000.7.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, JNo5aAuf1evRt1lPgP.cs	High entropy of concatenated method names: 'KO6mVFbbZw', 'Atkm9VN4aw', 'tjamW6NUG0', 'BtGmqHObRI', 'qkymSyNAn0', 'NUUmUMxYFQ', 'XCxmnemLLQ', 'XSxN4YNGvH', 'nm8NArcTwA', 'CGIN68Exs8'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, pv44dh69OxkXse9LugM.cs	High entropy of concatenated method names: 'JbcmY9Dkel', 'VP0ms2HiI2', 'pYGmjmMXjF', 'GONmpZjaBC', 'lVmmXFR43s', 'HnIm72EoMc', 'EM3moe44sD', 'nuDmlv4v5a', 'h3umriw2HQ', 'EjVm2n61lE'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, KYwJwe2MQNtymlYNMg.cs	High entropy of concatenated method names: 'bWAdl29MSo', 'UQJdrFCt7q', 'on1dC3TdFa', 'p9Bd5tHgg6', 'dtcdbCdInt', 'Anjd07dJu7', 'cmSdigvsLg', 'XmGdMgsUnn', 'VpAdQTSGF5', 'YWCdEFDGRA'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, IYZ53VXbxXwObATeYM.cs	High entropy of concatenated method names: 'ulCS3eFpWx', 'I98S801CRy', 'pPwSvvO4yl', 'lOnShj0TWk', 'pHiSxc4jLm', 'OmTStweKfn', 'swFS4ZhsUo', 'gXKSAthHlE', 'mGHS6gdEXc', 'DCYSOkCq8S'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, DQe1HhAG2ZWVNAEk3r.cs	High entropy of concatenated method names: 'YSLkQ8tf5x', 'sKekagDbVJ', 'xqok3FWTFr', 'BGOk8bB1Ae', 'm6uk5Zf0r0', 'nvtkHBG3an', 'j1IkbIuXOF', 'zayk0ofUbM', 'DuIkcd5NCi', 'rVtkii5DFM'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, BBg2Y7jIWxvOriNXUm.cs	High entropy of concatenated method names: 'CuENqMgqHc', 'j0RNSaubEf', 'thrNeSfKsH', 'XAGNUOEE8p', 'mmBNnreeTN', 'I7tNg3kOWo', 'D9uNZFgUX5', 'UcYNFOIAE0', 'a5PNLPC4FB', 'L15NTEoSll'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, idhxbnecpeZAsitbF9.cs	High entropy of concatenated method names: 'LpIUXahvRu', 'gYsUoQT9bq', 'D8UeHWNK4O', 'trNeb8dXSG', 'VuMe0vA40a', 'VlWecsOkHQ', 'j61eioIoL9', 'T1ceMqxKe0', 'tETefmwq0x', 'fjLeQFFjiY'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, lsQA76HNqrX4BikMLF.cs	High entropy of concatenated method names: 'x2RgY9D8VD', 'vR4gsaX1CI', 'S0xgjc3tYu', 'q01gp4jLZh', 'FOKgX9CkV1', 'P82g7qCEiX', 'BPvgoMOJ23', 'qwuglDiOsl', 'hHmgrJjJvY', 'eEsg2lcFJd'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, ocuqGQk7Zt9Bl8mrrq.cs	High entropy of concatenated method names: 'Sfa9uHFi4P', 'riS9qWXRtk', 'cnh9SXb65m', 'rQ19elyBGI', 'wR69UwLJ0F', 'K2u9nu37VT', 'cxY9gHErh4', 'f8U9ZqjXPO', 'Lv69FHcC0I', 'Ryy9LOv92A'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, YG1QWTMKBlq2lrPaKR.cs	High entropy of concatenated method names: 'dlCnuhQIIP', 'KGcnS0p9tB', 'WTjnU7YjND', 'BgxngPmx0s', 'Kc4nZPhlnT', 'chYUx98KqB', 'LN8UtcEL0f', 'AVuU4NtDil', 'PtuUAf2WLn', 'hrEU6AHFZe'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, UKoJlhq4dhgqka6men.cs	High entropy of concatenated method names: 'QD1jsw5IO', 'gJ3p47PZk', 'vG07V00ot', 'tFGoKvplv', 'FNLr8tfJ9', 'TsF2Hi16Q', 'RiJHq23CWovSk9esxh', 'NxerK3FJ2KVmtXHyaG', 'OxgNMUJNP', 'AbKy4AJGs'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, MVRrFKnI179dQDHU5g.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a0WB66F3Jv', 'L6bBOnfK7J', 'puNBz3Zu8g', 'eQc9RQvUAV', 'vVO9VaSf9M', 'JOn9BWWXtU', 'htV996NPbr', 'yjqsbhi5Kcy4cxhkTZ4'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, Nu0M8u8wMpySfZCVwB.cs	High entropy of concatenated method names: 'Dispose', 'DPfV6gZ4ur', 'MygB5XRAMT', 'GXTKK23eGU', 'ABvVO3wSK6', 'PfgVz5n1GT', 'ProcessDialogKey', 'BYSBRBKUvx', 'GOJBVKh9or', 'GBCBBUaMg1'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, s8W0FW66VmDbecc4pUf.cs	High entropy of concatenated method names: 'ToString', 'n3Iy90Rxlg', 'CK3yWwg1Bt', 'fBvyukaC1o', 'bFiyqmKkWP', 'ENAySvmVVi', 'CUZyecmJdh', 'olEyUDqHm6', 'GFgXEDCFmFL1HJRRA4O', 'mI9Qy2CLqwhHHT24xhk'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, vM4pkdQhgCgho4invJ.cs	High entropy of concatenated method names: 'l59JAfIunQ', 'l7mJO89hXn', 'MFHNRHnuhd', 'EQ5NVJnPtu', 'Ae0JEtrUM5', 'ksKJaSKAXS', 'gmGJG0FBig', 'KgYJ3pB3Qg', 'OyTJ8klmk6', 'qQIJv9crwb'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, cDSYvoo2jIECEdk31y.cs	High entropy of concatenated method names: 'ToString', 'UgNwESsXnc', 'gnsw5d1X90', 'lynwHFjLjA', 'Ni4wbXCNxT', 'onQw0FTb0L', 'JHDwcdKshw', 'Beswi4wE20', 'iCBwMEchoa', 'L1OwfL9728'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, I8WSH91ugPBrVbT72f.cs	High entropy of concatenated method names: 'ho5VgH6WIv', 'DgFVZNUlet', 'oLYVLRbkH3', 'lgUVTIv31C', 'PugVkXBsT2', 'CT6VwwW4PR', 'EeFkZ8SCX6xPEDynIR', 'bHEwSnwZh3SVhdjy4b', 'gA5VVjJ80j', 'I6fV9WN82N'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, N162suOFhMp83rR8YW.cs	High entropy of concatenated method names: 'blTgqVHS9L', 'n2JgeUDLVG', 'YEygnC8AdF', 'EeLnOVB4p2', 'vqcnzRN9ZL', 'ag7gRMPVAs', 'nO9gVVyiTp', 'ycOgBDK6SL', 'YyFg9FtOxS', 'hfPgWdUON0'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, sZ3VmRhklnRckKFXBQ.cs	High entropy of concatenated method names: 'k09JLU5745', 'AmtJTYNa5I', 'ToString', 'jqpJq0Hjba', 'U7uJSkIduq', 'd3HJeBCtkE', 'rDlJUVuBDe', 'fgfJnHUsrD', 'G2GJgMQrod', 'poZJZpgU5I'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, byeJX0zrkYWomtClHa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbwmdXukOn', 'EFkmkAT2XU', 'FyBmwCb29p', 'PkGmJ3KW2g', 'rDCmN8I6Fi', 'Fp2mmsXNst', 'NAKmyqv9LX'
Source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, yUcjGLUKCl2sD1MjiU.cs	High entropy of concatenated method names: 'T9cepk51v0', 'B2Ge7h7hsv', 'dhLel0rWOD', 'l2werP8wBo', 'l23ekJXDn6', 'WL8ewGwg2Y', 'uDgeJTEJwI', 'iUheNQs8Fi', 'WbFemZgQxK', 'g8Xey1RWgu'

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 57A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 67A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 68D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 9090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: A090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 1848			Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Window / User API: threadDelayed 8011			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 1848 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7836	Thread sleep count: 8011 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -97012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -96030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -95046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe TID: 7828	Thread sleep time: -94608s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98780	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 97012	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96900	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 96030	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95155	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Thread delayed: delay time: 94608	Jump to behavior

Source: 1iO53raUh69l6nV.exe, 00000002.00000002.2471164684.0000000000C34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Memory written: C:\Users\user\Desktop\1iO53raUh69l6nV.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Process created: C:\Users\user\Desktop\1iO53raUh69l6nV.exe "C:\Users\user\Desktop\1iO53raUh69l6nV.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Users\user\Desktop\1iO53raUh69l6nV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1iO53raUh69l6nV.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.1iO53raUh69l6nV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34f3048.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.41f32b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.34b7a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.1iO53raUh69l6nV.exe.4164a90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2470688902.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2472852502.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1236202233.0000000003F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1iO53raUh69l6nV.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality