Loading ...

Play interactive tourEdit tour

Analysis Report l9RBxJ7phm.exe

Overview

General Information

Sample Name:l9RBxJ7phm.exe
MD5:bd2aeaab8f491a77f7c7ce59b027cf2c
SHA1:2a790244357f24b6145a43d35a3644728250e2dc
SHA256:5b37cc85fd190a6b4726ea57f2588b5a74acc2c51e2917363c226b73ac79118f

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains potential unpacker
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • l9RBxJ7phm.exe (PID: 4228 cmdline: 'C:\Users\user\Desktop\l9RBxJ7phm.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • l9RBxJ7phm.exe (PID: 484 cmdline: C:\Users\user\Desktop\l9RBxJ7phm.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • l9RBxJ7phm.exe (PID: 3812 cmdline: C:\Users\user\Desktop\l9RBxJ7phm.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • l9RBxJ7phm.exe (PID: 2992 cmdline: C:\Users\user\Desktop\l9RBxJ7phm.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
      • netsh.exe (PID: 3064 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • appdata.exe (PID: 2872 cmdline: 'C:\Users\user\appdata.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • appdata.exe (PID: 484 cmdline: C:\Users\user\appdata.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
  • appdata.exe (PID: 4932 cmdline: 'C:\Users\user\appdata.exe' MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
    • appdata.exe (PID: 4604 cmdline: C:\Users\user\appdata.exe MD5: BD2AEAAB8F491A77F7C7CE59B027CF2C)
      • netsh.exe (PID: 4304 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "xt2rTfNtVEKt", "URL: ": "http://4blAHBpMqaVoAxmZKQ.net", "To: ": "", "ByHost: ": "twire.icu:5878", "Password: ": "sMJ4pbUhSbtpQ", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.878628060.0000000003DD4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.804333421.0000000003C90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.805732097.0000000003EA4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.1207820777.0000000003000000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.800905045.0000000002CA2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.l9RBxJ7phm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.appdata.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.appdata.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview


                  System Summary:

                  barindex
                  Sigma detected: Capture Wi-Fi passwordShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\Desktop\l9RBxJ7phm.exe, ParentImage: C:\Users\user\Desktop\l9RBxJ7phm.exe, ParentProcessId: 2992, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3064

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: l9RBxJ7phm.exe.2992.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "xt2rTfNtVEKt", "URL: ": "http://4blAHBpMqaVoAxmZKQ.net", "To: ": "", "ByHost: ": "twire.icu:5878", "Password: ": "sMJ4pbUhSbtpQ", "From: ": ""}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\appdata.exeVirustotal: Detection: 75%Perma Link
                  Source: C:\Users\user\appdata.exeMetadefender: Detection: 18%Perma Link
                  Source: C:\Users\user\appdata.exeReversingLabs: Detection: 83%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: l9RBxJ7phm.exeVirustotal: Detection: 75%Perma Link
                  Source: l9RBxJ7phm.exeMetadefender: Detection: 18%Perma Link
                  Source: l9RBxJ7phm.exeReversingLabs: Detection: 83%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\appdata.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: l9RBxJ7phm.exeJoe Sandbox ML: detected
                  Source: 4.2.l9RBxJ7phm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 7.2.appdata.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 9.2.appdata.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4x nop then inc dword ptr [ebp-14h]0_2_01469B60
                  Source: C:\Users\user\appdata.exeCode function: 4x nop then inc dword ptr [ebp-14h]5_2_04DB9B60

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49747 -> 198.54.120.244:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49749 -> 198.54.120.244:587
                  Source: global trafficTCP traffic: 192.168.2.5:49747 -> 198.54.120.244:587
                  Source: Joe Sandbox ViewASN Name: unknown unknown
                  Source: global trafficTCP traffic: 192.168.2.5:49747 -> 198.54.120.244:587
                  Source: unknownDNS traffic detected: queries for: twire.icu
                  Source: appdata.exe, 00000009.00000002.1208235662.000000000312A000.00000004.00000001.sdmpString found in binary or memory: http://4blAHBpMqaVoAxmZKQ.net
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1208527314.0000000002F5A000.00000004.00000001.sdmp, appdata.exe, 00000009.00000002.1208488230.00000000031EC000.00000004.00000001.sdmpString found in binary or memory: http://twire.icu
                  Source: appdata.exe, appdata.exe, 00000007.00000002.879289462.0000000000EF2000.00000002.00020000.sdmp, appdata.exe, 00000008.00000002.873548628.0000000000812000.00000002.00020000.sdmp, appdata.exe, 00000009.00000002.1205309131.0000000000CF2000.00000002.00020000.sdmp, l9RBxJ7phm.exeString found in binary or memory: https://www.pelock.com/api/aztec-decoder/v1

                  Source: l9RBxJ7phm.exe, 00000000.00000002.800114200.0000000000FE0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_014681C80_2_014681C8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_014660080_2_01466008
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_014688380_2_01468838
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_01466B720_2_01466B72
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_014693E00_2_014693E0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_01467B800_2_01467B80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_014681B80_2_014681B8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_0146882A0_2_0146882A
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_0146D3400_2_0146D340
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_0146D3300_2_0146D330
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_0146BAD00_2_0146BAD0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_0146BAE00_2_0146BAE0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_01465FF90_2_01465FF9
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_01465FB00_2_01465FB0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D09504_2_012D0950
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D71C04_2_012D71C0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D20584_2_012D2058
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D4DD74_2_012D4DD7
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D77F84_2_012D77F8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D396D4_2_012D396D
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D319A4_2_012D319A
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D403D4_2_012D403D
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D30864_2_012D3086
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012DCBD04_2_012DCBD0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3D254_2_012D3D25
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3D6D4_2_012D3D6D
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3DB54_2_012D3DB5
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3DFD4_2_012D3DFD
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D20584_2_012D2058
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3CEE4_2_012D3CEE
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3F1D4_2_012D3F1D
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3F654_2_012D3F65
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3FAD4_2_012D3FAD
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D2FB54_2_012D2FB5
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3FF54_2_012D3FF5
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3E454_2_012D3E45
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3E8D4_2_012D3E8D
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D2EE44_2_012D2EE4
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3ED54_2_012D3ED5
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C94104_2_054C9410
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054CF7684_2_054CF768
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C07E84_2_054C07E8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C0C304_2_054C0C30
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C8E754_2_054C8E75
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C48084_2_054C4808
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C3B404_2_054C3B40
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054CFAB04_2_054CFAB0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C94004_2_054C9400
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C07DB4_2_054C07DB
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C86784_2_054C8678
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C86EC4_2_054C86EC
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054CD1704_2_054CD170
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C82384_2_054C8238
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C0C214_2_054C0C21
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C4C334_2_054C4C33
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C8A034_2_054C8A03
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_054C3ABB4_2_054C3ABB
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059CE7084_2_059CE708
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C7DB04_2_059C7DB0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C7DC04_2_059C7DC0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C81F04_2_059C81F0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C89064_2_059C8906
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059CA1004_2_059CA100
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059CA0F14_2_059CA0F1
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C1B904_2_059C1B90
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C6BB84_2_059C6BB8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C6BA94_2_059C6BA9
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059CF7E84_2_059CF7E8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C4B174_2_059C4B17
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C4A984_2_059C4A98
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C4A8A4_2_059C4A8A
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C82004_2_059C8200
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065DB2A04_2_065DB2A0
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D9DB84_2_065D9DB8
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065DA5404_2_065DA540
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065DB9384_2_065DB938
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB60085_2_04DB6008
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB81C85_2_04DB81C8
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB88385_2_04DB8838
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB6B725_2_04DB6B72
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB93E05_2_04DB93E0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB7B8B5_2_04DB7B8B
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB81B85_2_04DB81B8
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB88335_2_04DB8833
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB882A5_2_04DB882A
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DBD3405_2_04DBD340
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DBD3305_2_04DBD330
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB5FF95_2_04DB5FF9
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DBBAD05_2_04DBBAD0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DBBAE05_2_04DBBAE0
                  Source: C:\Users\user\appdata.exeCode function: 5_2_04DB7B805_2_04DB7B80
                  Source: C:\Users\user\appdata.exeCode function: 7_2_015209507_2_01520950
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A294107_2_05A29410
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A207E87_2_05A207E8
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A2F7687_2_05A2F768
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A20C307_2_05A20C30
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A28E757_2_05A28E75
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A248087_2_05A24808
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A23B407_2_05A23B40
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A294007_2_05A29400
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A207D87_2_05A207D8
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A286EC7_2_05A286EC
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A286787_2_05A28678
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A2D1707_2_05A2D170
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A282387_2_05A28238
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A20C217_2_05A20C21
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A24C307_2_05A24C30
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A23B3F7_2_05A23B3F
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A2FAB07_2_05A2FAB0
                  Source: C:\Users\user\appdata.exeCode function: 7_2_05A28A037_2_05A28A03
                  Source: l9RBxJ7phm.exeBinary or memory string: OriginalFilename vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.808873382.0000000005240000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLOL.dllH vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.804333421.0000000003C90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.804333421.0000000003C90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRcamjXoBSptTgrUZcBnJIX.exe4 vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.800114200.0000000000FE0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.799154747.0000000000902000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.804248764.0000000002FEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.801134816.0000000002D24000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll. vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000000.00000002.808368816.0000000005140000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exeBinary or memory string: OriginalFilename vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000002.00000002.797407105.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exeBinary or memory string: OriginalFilename vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000003.00000002.798108332.0000000000302000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exeBinary or memory string: OriginalFilename vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1211450643.00000000061B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1211369418.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1211603501.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000000.798521459.0000000000992000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklash.exe, vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1205536081.0000000000D87000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1206104383.0000000001070000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exe, 00000004.00000002.1205198122.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRcamjXoBSptTgrUZcBnJIX.exe4 vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exeBinary or memory string: OriginalFilenameklash.exe, vs l9RBxJ7phm.exe
                  Source: l9RBxJ7phm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: appdata.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: l9RBxJ7phm.exe, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: l9RBxJ7phm.exe, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: l9RBxJ7phm.exe, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: appdata.exe.0.dr, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.l9RBxJ7phm.exe.900000.0.unpack, EaIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/4@2/1
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile created: C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_01
                  Source: l9RBxJ7phm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\appdata.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\appdata.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: l9RBxJ7phm.exeVirustotal: Detection: 75%
                  Source: l9RBxJ7phm.exeMetadefender: Detection: 18%
                  Source: l9RBxJ7phm.exeReversingLabs: Detection: 83%
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile read: C:\Users\user\Desktop\l9RBxJ7phm.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe 'C:\Users\user\Desktop\l9RBxJ7phm.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exe
                  Source: unknownProcess created: C:\Users\user\appdata.exe 'C:\Users\user\appdata.exe'
                  Source: unknownProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exe
                  Source: unknownProcess created: C:\Users\user\appdata.exe 'C:\Users\user\appdata.exe'
                  Source: unknownProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess created: C:\Users\user\Desktop\l9RBxJ7phm.exe C:\Users\user\Desktop\l9RBxJ7phm.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Users\user\appdata.exe C:\Users\user\appdata.exeJump to behavior
                  Source: C:\Users\user\appdata.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: l9RBxJ7phm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: l9RBxJ7phm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: Unhook.pdb source: l9RBxJ7phm.exe, 00000000.00000002.801134816.0000000002D24000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852629030.0000000002924000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.876641738.0000000002D7A000.00000004.00000001.sdmp
                  Source: Binary string: 26.pdb source: l9RBxJ7phm.exe, 00000000.00000002.804248764.0000000002FEB000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852629030.0000000002924000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.876641738.0000000002D7A000.00000004.00000001.sdmp
                  Source: Binary string: LOL.pdb source: l9RBxJ7phm.exe, 00000000.00000002.808873382.0000000005240000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852428359.00000000028A2000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.875647422.0000000002BD2000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdbP-j- \-_CorDllMainmscoree.dll source: l9RBxJ7phm.exe, 00000000.00000002.808368816.0000000005140000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852401391.0000000002890000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.882377490.0000000005060000.00000004.00000001.sdmp
                  Source: Binary string: 26.pdbx source: l9RBxJ7phm.exe, 00000000.00000002.804248764.0000000002FEB000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852629030.0000000002924000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.876641738.0000000002D7A000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb source: l9RBxJ7phm.exe, 00000000.00000002.808368816.0000000005140000.00000004.00000001.sdmp, appdata.exe, 00000005.00000002.852401391.0000000002890000.00000004.00000001.sdmp, appdata.exe, 00000008.00000002.882377490.0000000005060000.00000004.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: l9RBxJ7phm.exe, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: appdata.exe.0.dr, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.l9RBxJ7phm.exe.900000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.l9RBxJ7phm.exe.900000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 2.0.l9RBxJ7phm.exe.40000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 2.2.l9RBxJ7phm.exe.40000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 3.2.l9RBxJ7phm.exe.300000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 3.0.l9RBxJ7phm.exe.300000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 4.0.l9RBxJ7phm.exe.990000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 4.2.l9RBxJ7phm.exe.990000.1.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.2.appdata.exe.640000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.appdata.exe.640000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 7.2.appdata.exe.ef0000.1.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 7.0.appdata.exe.ef0000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 8.0.appdata.exe.810000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 8.2.appdata.exe.810000.0.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 9.2.appdata.exe.cf0000.1.unpack, ciBE.cs.Net Code: NZBd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_00907515 push esi; ret 0_2_00907525
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 0_2_00906069 push 7D07029Dh; retf 0000h0_2_0090606E
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 2_2_00047515 push esi; ret 2_2_00047525
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 2_2_00046069 push 7D07029Dh; retf 0000h2_2_0004606E
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 3_2_00306069 push 7D07029Dh; retf 0000h3_2_0030606E
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 3_2_00307515 push esi; ret 3_2_00307525
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_00997515 push esi; ret 4_2_00997525
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_00996069 push 7D07029Dh; retf 0000h4_2_0099606E
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012DCADB pushad ; retf 4_2_012DCADE
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012DD597 push edi; retn 0000h4_2_012DD599
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D4DC5 push ebx; retf 001Dh4_2_012D4DC6
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_012D3C87 pushfd ; iretd 4_2_012D3C91
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_059C05BF push eax; retf 4_2_059C05D6
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D2858 push es; retf 4_2_065D2F80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D2699 push es; retf 4_2_065D2F80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D179A push es; retf 4_2_065D2F80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D1BBF push es; retf 4_2_065D2F80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D4620 push es; ret 4_2_065D56BC
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D2EAD push es; retf 4_2_065D2F80
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeCode function: 4_2_065D53BA push es; ret 4_2_065D56BC
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00646069 push 7D07029Dh; retf 0000h5_2_0064606E
                  Source: C:\Users\user\appdata.exeCode function: 5_2_00647515 push esi; ret 5_2_00647525
                  Source: C:\Users\user\appdata.exeCode function: 7_2_00EF6069 push 7D07029Dh; retf 0000h7_2_00EF606E
                  Source: C:\Users\user\appdata.exeCode function: 7_2_00EF7515 push esi; ret 7_2_00EF7525
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.80940184151
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.80940184151

                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile created: C:\Users\user\appdata.exeJump to dropped file
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile created: C:\Users\user\appdata.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Drops PE files to the user root directoryShow sources
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeFile created: C:\Users\user\appdata.exeJump to dropped file
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run appdataJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run appdataJump to behavior

                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\appdata.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\appdata.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\appdata.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\appdata.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\appdata.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWindow / User API: threadDelayed 1051Jump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exeWindow / User API: threadDelayed 8474Jump to behavior
                  Source: C:\Users\user\appdata.exeWindow / User API: threadDelayed 620
                  Source: C:\Users\user\appdata.exeWindow / User API: threadDelayed 9055
                  <
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exe TID: 2276Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exe TID: 4504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exe TID: 4368Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exe TID: 4444Thread sleep count: 1051 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\l9RBxJ7phm.exe TID: 4444Thread sleep count: 8474 > 30Jump to behavior