Loading ...

Play interactive tourEdit tour

Analysis Report uIe6V8UT9c.exe

Overview

General Information

Sample Name:uIe6V8UT9c.exe
Analysis ID:255469
MD5:4eb0349360ac28e67c8fcdc0a7bdfa89
SHA1:f96e71aab5845581a18b19410a0be379496cedd0
SHA256:61f0cc39fa5610ea3e64197420fc7483be2dafce8c2fba24756a6dd3ea1e81a5

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • uIe6V8UT9c.exe (PID: 6904 cmdline: 'C:\Users\user\Desktop\uIe6V8UT9c.exe' MD5: 4EB0349360AC28E67C8FCDC0A7BDFA89)
    • AddInProcess32.exe (PID: 6620 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "YUKhcqM1IMrtpYn", "URL: ": "http://Mg0Owg4lJVBr2bzWx.org", "To: ": "ceejay@iklea-res.com", "ByHost: ": "smtp.iklea-res.com:587", "Password: ": "5gjnm0IoDgZJmE", "From: ": "ceejay@iklea-res.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
uIe6V8UT9c.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1375729591.00000000064B4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000003.1373174175.0000000006465000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.1375450775.00000000064B4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000000.1271281614.00000000008B2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000003.1375631162.00000000064B4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 14 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.uIe6V8UT9c.exe.8b0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.0.uIe6V8UT9c.exe.8b0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Process CreationShow sources
                    Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\uIe6V8UT9c.exe' , ParentImage: C:\Users\user\Desktop\uIe6V8UT9c.exe, ParentProcessId: 6904, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 6620

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: AddInProcess32.exe.6620.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "YUKhcqM1IMrtpYn", "URL: ": "http://Mg0Owg4lJVBr2bzWx.org", "To: ": "ceejay@iklea-res.com", "ByHost: ": "smtp.iklea-res.com:587", "Password: ": "5gjnm0IoDgZJmE", "From: ": "ceejay@iklea-res.com"}
                    Machine Learning detection for sampleShow sources
                    Source: uIe6V8UT9c.exeJoe Sandbox ML: detected

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49743 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.5:49743 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.5:49743 -> 208.91.198.143:587
                    Source: unknownDNS traffic detected: queries for: g.msn.com
                    Source: AddInProcess32.exe, 00000006.00000002.1542708409.0000000002D60000.00000004.00000001.sdmpString found in binary or memory: http://Mg0Owg4lJVBr2bzWx.org
                    Source: AddInProcess32.exe, 00000006.00000002.1542708409.0000000002D60000.00000004.00000001.sdmpString found in binary or memory: http://Mg0Owg4lJVBr2bzWx.orgl
                    Source: AddInProcess32.exe, 00000006.00000002.1550748580.0000000002E80000.00000004.00000001.sdmpString found in binary or memory: http://smtp.iklea-res.com
                    Source: AddInProcess32.exe, 00000006.00000002.1550748580.0000000002E80000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: uIe6V8UT9c.exe, u0037Pku0023Eu00244q6R/fu002a2D5Ru007ezY_.csLarge array initialization: dA@34qL!_8: array initializer size 100352
                    Source: 0.0.uIe6V8UT9c.exe.8b0000.0.unpack, u0037Pku0023Eu00244q6R/fu002a2D5Ru007ezY_.csLarge array initialization: dA@34qL!_8: array initializer size 100352
                    Source: 0.2.uIe6V8UT9c.exe.8b0000.0.unpack, u0037Pku0023Eu00244q6R/fu002a2D5Ru007ezY_.csLarge array initialization: dA@34qL!_8: array initializer size 100352
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeCode function: 0_2_06152F28 CreateProcessAsUserW,0_2_06152F28
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeCode function: 0_2_011AD6800_2_011AD680
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_008420506_2_00842050
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_02AAFB306_2_02AAFB30
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_02AAFB206_2_02AAFB20
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051700406_2_05170040
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051783F86_2_051783F8
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05172F806_2_05172F80
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05173C486_2_05173C48
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0517C1606_2_0517C160
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051700066_2_05170006
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051740716_2_05174071
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051783E96_2_051783E9
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05172F726_2_05172F72
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051775286_2_05177528
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051779056_2_05177905
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_051779A96_2_051779A9
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AEE046_2_062AEE04
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A56706_2_062A5670
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A5ED06_2_062A5ED0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A7F006_2_062A7F00
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A57706_2_062A5770
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A67C06_2_062A67C0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A7C106_2_062A7C10
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A05886_2_062A0588
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062ADD886_2_062ADD88
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A4DC06_2_062A4DC0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062ABA586_2_062ABA58
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A6AF06_2_062A6AF0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AD3086_2_062AD308
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AA9786_2_062AA978
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A3E606_2_062A3E60
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A56606_2_062A5660
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A56F36_2_062A56F3
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A7EF16_2_062A7EF1
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A57166_2_062A5716
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A67B66_2_062A67B6
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A7C006_2_062A7C00
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A057A6_2_062A057A
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062ADD796_2_062ADD79
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A457D6_2_062A457D
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A4DB06_2_062A4DB0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A825E6_2_062A825E
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A6AE06_2_062A6AE0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062ABAC16_2_062ABAC1
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AC3186_2_062AC318
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A73706_2_062A7370
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A73806_2_062A7380
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A13936_2_062A1393
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AA9686_2_062AA968
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A49A06_2_062A49A0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A499A6_2_062A499A
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A19C06_2_062A19C0
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063982106_2_06398210
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06398EF86_2_06398EF8
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063986C86_2_063986C8
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639EFB86_2_0639EFB8
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639E3B86_2_0639E3B8
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639D0306_2_0639D030
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063900406_2_06390040
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639B5676_2_0639B567
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639CA006_2_0639CA00
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_063986B86_2_063986B8
                    Source: uIe6V8UT9c.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: uIe6V8UT9c.exe, 00000000.00000003.1375729591.00000000064B4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUCesQwJEavHCFtvxbVancIlKHfzOJLxkOdfvD.exe4 vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWlOsyZq.dllF vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1376526301.0000000000952000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDHL shipping Invoice 1000972400891.exe< vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1377215829.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameresourceLib.dll8 vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1377215829.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerunfileinmemoryLib.dllF vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1380613058.00000000068E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379872144.0000000006040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs uIe6V8UT9c.exe
                    Source: uIe6V8UT9c.exeBinary or memory string: OriginalFilenameDHL shipping Invoice 1000972400891.exe< vs uIe6V8UT9c.exe
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/1
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uIe6V8UT9c.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                    Source: uIe6V8UT9c.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\uIe6V8UT9c.exe 'C:\Users\user\Desktop\uIe6V8UT9c.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: uIe6V8UT9c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: uIe6V8UT9c.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: AddInProcess32.pdb source: uIe6V8UT9c.exe, 00000000.00000002.1380613058.00000000068E0000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
                    Source: Binary string: AddInProcess32.pdbpw source: uIe6V8UT9c.exe, 00000000.00000002.1380613058.00000000068E0000.00000004.00000001.sdmp, AddInProcess32.exe, 00000006.00000000.1366402105.0000000000842000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeCode function: 0_2_008B86F3 push edx; retf 0_2_008B86F7
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeCode function: 0_2_06152574 push FFFFFFE8h; ret 0_2_06152579
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_05179FF8 push E8000000h; retf 6_2_0517A101
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A2736 push edi; iretd 6_2_062A2737
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AA7A6 push ebp; iretd 6_2_062AA7A7
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A27BC pushad ; iretd 6_2_062A27BD
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A2F9F push 8BFFFFFFh; iretd 6_2_062A2FA4
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A2D08 push FFFFFFE8h; iretd 6_2_062A2D0D
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062AD81E push eax; retn 0008h6_2_062AD81F
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_0639512F push edi; retn 0000h6_2_06395131
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_06392DBB push ebp; iretd 6_2_06392DBC
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeWindow / User API: threadDelayed 476Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 565Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exe TID: 6944Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exe TID: 6944Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exe TID: 6476Thread sleep count: 65 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exe TID: 6476Thread sleep count: 476 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exe TID: 6924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 2260Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 2260Thread sleep count: 565 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -55000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -54780s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -53686s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -53500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -52594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -52374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -51500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -51280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -50186s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -50000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -49094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -48874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -48000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -46686s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -46500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -45594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -45374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -44500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -44280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -43000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -42500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -42280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -42094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -40780s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -40500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -40280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -40094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -39686s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -39500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -39186s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -39000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -38780s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -38094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -37874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -37500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -37000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -36780s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -36594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -36374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -35500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -35280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -34594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -34374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -34186s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -34000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -33280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -33094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -32874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -32594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -32374s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -32186s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -32000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -31500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -31280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -31094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30874s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30686s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30186s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 1748Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeLast function: Thread delayed
                    Source: AddInProcess32.exe, 00000006.00000002.1554992443.0000000005D90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: CompanyNameVMware, Inc.2
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstationP
                    Source: AddInProcess32.exe, 00000006.00000002.1554992443.0000000005D90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: AddInProcess32.exe, 00000006.00000002.1554992443.0000000005D90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: CommentsVMware Workstation:
                    Source: uIe6V8UT9c.exe, 00000000.00000002.1379181020.0000000005260000.00000004.00000001.sdmpBinary or memory string: VMware Workstation
                    Source: AddInProcess32.exe, 00000006.00000002.1554992443.0000000005D90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 6_2_062A1710 LdrInitializeThunk,6_2_062A1710
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 448000Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 44A000Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: A54008Jump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
                    Source: AddInProcess32.exe, 00000006.00000002.1541458940.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: AddInProcess32.exe, 00000006.00000002.1541458940.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: AddInProcess32.exe, 00000006.00000002.1541458940.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: AddInProcess32.exe, 00000006.00000002.1541458940.0000000001630000.00000002.00000001.sdmpBinary or memory string: Program Manager@
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeQueries volume information: C:\Users\user\Desktop\uIe6V8UT9c.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\uIe6V8UT9c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: uIe6V8UT9c.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000000.00000003.1375729591.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1373174175.0000000006465000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1375450775.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1271281614.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1375631162.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1378151111.0000000003CEB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1378261424.0000000003D99000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1372920213.0000000006442000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1539873286.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1374922450.00000000064AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1377215829.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1373071824.0000000006452000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1375806589.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1376384890.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1542708409.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6620, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: uIe6V8UT9c.exe PID: 6904, type: MEMORY
                    Source: Yara matchFile source: 0.2.uIe6V8UT9c.exe.8b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.uIe6V8UT9c.exe.8b0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 00000006.00000002.1542708409.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6620, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: uIe6V8UT9c.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000000.00000003.1375729591.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1373174175.0000000006465000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1375450775.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1271281614.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1375631162.00000000064B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1378151111.0000000003CEB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1378261424.0000000003D99000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1372920213.0000000006442000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1539873286.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1374922450.00000000064AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: