Loading ...

Play interactive tourEdit tour

Analysis Report mcsrXx9lfD.exe

Overview

General Information

Sample Name:mcsrXx9lfD.exe
Analysis ID:321297
MD5:3d549885e44863c57f59eab47f2271cc
SHA1:76c51be921ef41ff2596f3f882b91c8ede3713c7
SHA256:1d9c8ee9be6e0ee20b600c71989292aa2efd0849611389e3121bae364d9d6adf
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • mcsrXx9lfD.exe (PID: 7076 cmdline: 'C:\Users\user\Desktop\mcsrXx9lfD.exe' MD5: 3D549885E44863C57F59EAB47F2271CC)
    • mcsrXx9lfD.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\mcsrXx9lfD.exe' MD5: 3D549885E44863C57F59EAB47F2271CC)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "In9AcPpFuU", "URL: ": "http://Gwd19zMdFbudWhUhS.net", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "Ttlj1OTOO1N4A", "From: ": "sales1@tzdieep.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.mcsrXx9lfD.exe.b20000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.mcsrXx9lfD.exe.630000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.mcsrXx9lfD.exe.630000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.mcsrXx9lfD.exe.25e0000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.mcsrXx9lfD.exe.25e0000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: mcsrXx9lfD.exe.7100.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "In9AcPpFuU", "URL: ": "http://Gwd19zMdFbudWhUhS.net", "To: ": "sales1@tzdieep.net", "ByHost: ": "smtp.tzdieep.net:587", "Password: ": "Ttlj1OTOO1N4A", "From: ": "sales1@tzdieep.net"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: mcsrXx9lfD.exeVirustotal: Detection: 61%Perma Link
                      Source: mcsrXx9lfD.exeReversingLabs: Detection: 79%
                      Machine Learning detection for sampleShow sources
                      Source: mcsrXx9lfD.exeJoe Sandbox ML: detected
                      Source: 1.1.mcsrXx9lfD.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.mcsrXx9lfD.exe.b20000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00408938 FindFirstFileA,GetLastError,0_2_00408938
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 208.91.199.225:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49767 -> 208.91.199.225:587
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 208.91.199.225:587
                      Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
                      Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficTCP traffic: 192.168.2.4:49766 -> 208.91.199.225:587
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: mcsrXx9lfD.exe, 00000001.00000002.948044914.00000000029B5000.00000004.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.948310266.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: http://Gwd19zMdFbudWhUhS.net
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://QBfyHm.com
                      Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                      Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmpString found in binary or memory: http://smtp.tzdieep.net
                      Source: mcsrXx9lfD.exe, 00000001.00000002.948356194.0000000002C0D000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: mcsrXx9lfD.exe, 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, mcsrXx9lfD.exe, 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: mcsrXx9lfD.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947961808.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040703E OpenClipboard,0_2_0040703E
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,0_2_0043258C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_0045BDA0
                      Source: mcsrXx9lfD.exe, 00000000.00000002.680509638.000000000083A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00457E74 NtdllDefWindowProc_A,0_2_00457E74
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0042E8BC NtdllDefWindowProc_A,0_2_0042E8BC
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044CA64
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,0_2_0043CE20
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00444159 NtCreateSection,1_2_00444159
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004525480_2_00452548
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0044CA640_2_0044CA64
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_004058081_2_00405808
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_004022961_2_00402296
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0040BD3D1_2_0040BD3D
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0043D9761_2_0043D976
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0044313D1_2_0044313D
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00788C781_2_00788C78
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0078CD701_2_0078CD70
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007851501_2_00785150
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007875081_2_00787508
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007899B81_2_007899B8
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007855981_2_00785598
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0078F7701_2_0078F770
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007803881_2_00780388
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0078CD6C1_2_0078CD6C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_007855E01_2_007855E0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF40CE1_2_00AF40CE
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF7A281_2_00AF7A28
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF2E781_2_00AF2E78
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF98A11_2_00AF98A1
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF09A01_2_00AF09A0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AF81701_2_00AF8170
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AFDFB81_2_00AFDFB8
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_04A646A01_2_04A646A0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_04A645B01_2_04A645B0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_04A6D3011_2_04A6D301
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: String function: 00403980 appears 38 times
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: String function: 00404320 appears 79 times
                      Source: mcsrXx9lfD.exe, 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZQtNfvtFGCsonuAQoHKxGPIofZqXzdgRHbUF.exe4 vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000000.00000002.680456134.00000000007B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exeBinary or memory string: OriginalFilename vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZQtNfvtFGCsonuAQoHKxGPIofZqXzdgRHbUF.exe4 vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.946352836.0000000000198000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947135544.0000000000B00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947103907.0000000000AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs mcsrXx9lfD.exe
                      Source: mcsrXx9lfD.exe, 00000001.00000002.946942776.0000000000820000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs mcsrXx9lfD.exe
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeSection loaded: mscorjit.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/2
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00420594 GetLastError,FormatMessageA,0_2_00420594
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00408B02 GetDiskFreeSpaceA,0_2_00408B02
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00416D64
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile created: C:\Users\user\AppData\Roaming\mmnabeka.1fcJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: mcsrXx9lfD.exeVirustotal: Detection: 61%
                      Source: mcsrXx9lfD.exeReversingLabs: Detection: 79%
                      Source: unknownProcess created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe'
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeUnpacked PE file: 1.2.mcsrXx9lfD.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeUnpacked PE file: 1.2.mcsrXx9lfD.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00444250 push 004442DDh; ret 0_2_004442D5
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040C020 push 0040C038h; ret 0_2_0040C030
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040C03A push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040C03C push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00410150 push 004101B1h; ret 0_2_004101A9
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040C11A push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0040C11C push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C120 push 0046C153h; ret 0_2_0046C14B
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C1DC push 0046C208h; ret 0_2_0046C200
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx0_2_0045A1DD
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004281DC push 00428208h; ret 0_2_00428200
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004441E8 push 0044424Eh; ret 0_2_00444246
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00428190 push 004281D1h; ret 0_2_004281C9
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004101B4 push 004103B5h; ret 0_2_004103AD
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00428214 push 0042824Ch; ret 0_2_00428244
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C22C push 0046C26Fh; ret 0_2_0046C267
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx0_2_0041C239
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C2EC push 0046C318h; ret 0_2_0046C310
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C294 push 0046C2D7h; ret 0_2_0046C2CF
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00432364 push 004323BDh; ret 0_2_004323B5
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0046C324 push 0046C350h; ret 0_2_0046C348
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004263D8 push 004264A8h; ret 0_2_004264A0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004103B8 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00412470 push eax; retf 0041h0_2_00412471
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx0_2_0041A4CA
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004104D0 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0047055C push 00470588h; ret 0_2_00470580
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00428538 push 00428564h; ret 0_2_0042855C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0042C5E4 push 0042C610h; ret 0_2_0042C608
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00457EFC
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043E4F4 IsIconic,GetCapture,0_2_0043E4F4
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00426BA4
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043ED9C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00454FF0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043F680
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043372C0_2_0043372C
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_004574D0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWindow / User API: threadDelayed 774Jump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_0043372C0_2_0043372C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -89673s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 5968Thread sleep count: 774 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -56782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -79923s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -50782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -48282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -44782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -43282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -41282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -38282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -56673s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -36282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -34782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -51423s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -31282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -40923s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -35673s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -30423s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -59594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -59374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -58688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -58500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -57594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -86061s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -57000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -84750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -56094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -55874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -55188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -54782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -53874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -80532s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -80250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -53000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -52782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -78891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -52374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -52000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -51688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -77250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -76923s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -51094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -50874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -50594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -50188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -75000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -49782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -49500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -49282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -73641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -73311s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -48688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -48500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -48000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -47782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -47094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -46874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -46688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -69750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -45594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -68061s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -45000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -44688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -66750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -44282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -44094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -43500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -42594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -42374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -41188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -40500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -38000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -36688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -36500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -35594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -35374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -34500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -33500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -33188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -32094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -31874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -31000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -58000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -57782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -43188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -43000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -42094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -41874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -41000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -40782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -39688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -39500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -38594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -38374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -37500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -37282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -36000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -35094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -34874s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -33782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -32688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -32500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -31594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -31374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -30500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exe TID: 1476Thread sleep time: -30282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh0_2_004703B0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00408938 FindFirstFileA,GetLastError,0_2_00408938
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00420B24 GetSystemInfo,0_2_00420B24
                      Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: mcsrXx9lfD.exe, 00000001.00000003.902505301.00000000008EF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                      Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: mcsrXx9lfD.exe, 00000001.00000002.950384937.00000000056C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess queried: DebugFlagsJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00AFE800 LdrInitializeThunk,1_2_00AFE800
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0043F6F3
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00443412 mov eax, dword ptr fs:[00000030h]1_2_00443412
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_004434D0 mov eax, dword ptr fs:[00000030h]1_2_004434D0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0043F6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0043F6F3
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0043E746 SetUnhandledExceptionFilter,1_2_0043E746
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_00441D7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00441D7F
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 1_2_0043FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0043FBB5
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeMemory protected: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeSection loaded: unknown target: C:\Users\user\Desktop\mcsrXx9lfD.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeProcess created: C:\Users\user\Desktop\mcsrXx9lfD.exe 'C:\Users\user\Desktop\mcsrXx9lfD.exe' Jump to behavior
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: mcsrXx9lfD.exe, 00000001.00000002.947333210.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405C78
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetLocaleInfoA,GetACP,0_2_0040ACF0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetLocaleInfoA,0_2_00409940
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetLocaleInfoA,0_2_0040998C
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405D84
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: GetLocaleInfoA,1_2_00442A4A
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Users\user\Desktop\mcsrXx9lfD.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_004703B0 GetSystemTime,ExitProcess,6D8725A0,0_2_004703B0
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeCode function: 0_2_00444250 GetVersion,0_2_00444250
                      Source: C:\Users\user\Desktop\mcsrXx9lfD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      </
                      Source: Yara matchFile source: 00000000.00000002.680903753.000000000267B000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.680869571.0000000002632000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.946404123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.679937947.000000000044B000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.946830924.0000000000792000.00000004.00000001.sdmp, type: MEMORY