Loading ...

Play interactive tourEdit tour

Analysis Report DOC04121993.exe

Overview

General Information

Sample Name:DOC04121993.exe
Analysis ID:321396
MD5:710843b45a8e65c939d3ab4fb96d73e4
SHA1:909799ac70c5a8a472b40579ff0c5bc982979676
SHA256:d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DOC04121993.exe (PID: 2576 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
    • notepad.exe (PID: 4472 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
    • DOC04121993.exe (PID: 1000 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
    • DOC04121993.exe (PID: 1832 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343 MD5: 710843B45A8E65C939D3AB4FB96D73E4)
  • wscript.exe (PID: 2168 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • DOC04121993.exe (PID: 5080 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
      • notepad.exe (PID: 780 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • DOC04121993.exe (PID: 1956 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
      • DOC04121993.exe (PID: 5320 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421 MD5: 710843B45A8E65C939D3AB4FB96D73E4)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "bq6qu", "URL: ": "http://vd2JBRKVM6n.net", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IhNKJa9", "From: ": "info@hybridgroupco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.DOC04121993.exe.2290000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.DOC04121993.exe.2240000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.DOC04121993.exe.2150000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.DOC04121993.exe.980000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    7.2.DOC04121993.exe.21b0000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 8 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Drops script at startup locationShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\notepad.exe, ProcessId: 4472, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: DOC04121993.exe.1000.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "bq6qu", "URL: ": "http://vd2JBRKVM6n.net", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IhNKJa9", "From: ": "info@hybridgroupco.com"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: mail.hybridgroupco.comVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOC04121993.exeVirustotal: Detection: 69%Perma Link
                      Source: DOC04121993.exeReversingLabs: Detection: 81%
                      Machine Learning detection for sampleShow sources
                      Source: DOC04121993.exeJoe Sandbox ML: detected
                      Source: 2.2.DOC04121993.exe.2240000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.DOC04121993.exe.2290000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.DOC04121993.exe.2750000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DOC04121993.exe.22e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 7.2.DOC04121993.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408978
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408A78 FindFirstFileA,GetLastError,0_2_00408A78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_00408978
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408A78 FindFirstFileA,GetLastError,3_2_00408A78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_00405B54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,5_2_00408978
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408A78 FindFirstFileA,GetLastError,5_2_00408A78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_00405B54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_00408978
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408A78 FindFirstFileA,GetLastError,8_2_00408A78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,8_2_00405B54
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
                      Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233A186 recv,2_2_0233A186
                      Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
                      Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                      Source: DOC04121993.exe, 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmpString found in binary or memory: http://vd2JBRKVM6n.net
                      Source: DOC04121993.exe, 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmpString found in binary or memory: http://vd2JBRKVM6n.net$
                      Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: DOC04121993.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
                      Source: DOC04121993.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: DOC04121993.exe, 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004070F2 OpenClipboard,0_2_004070F2
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00422CC4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00422CC4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00423308 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_00423308
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045E108 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_0045E108
                      Source: DOC04121993.exe, 00000000.00000002.198945887.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045AACC NtdllDefWindowProc_A,0_2_0045AACC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044F67C GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00433DC8 NtdllDefWindowProc_A,0_2_00433DC8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043FF18 NtdllDefWindowProc_A,GetCapture,0_2_0043FF18
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046E159 NtCreateSection,2_2_0046E159
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B362 NtQuerySystemInformation,2_2_0233B362
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B331 NtQuerySystemInformation,2_2_0233B331
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045AACC NtdllDefWindowProc_A,3_2_0045AACC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00433DC8 NtdllDefWindowProc_A,3_2_00433DC8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0043FF18 NtdllDefWindowProc_A,GetCapture,3_2_0043FF18
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045AACC NtdllDefWindowProc_A,5_2_0045AACC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00433DC8 NtdllDefWindowProc_A,5_2_00433DC8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0043FF18 NtdllDefWindowProc_A,GetCapture,5_2_0043FF18
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004551A00_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044F67C0_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_004679762_2_00467976
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046D13D2_2_0046D13D
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3B6E82_2_04E3B6E8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E334682_2_04E33468
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3702E2_2_04E3702E
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E200072_2_04E20007
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E390102_2_04E39010
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E331F82_2_04E331F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3DBB82_2_04E3DBB8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E393882_2_04E39388
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E379902_2_04E37990
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E315682_2_04E31568
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E31D202_2_04E31D20
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3CB3F2_2_04E3CB3F
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3810F2_2_04E3810F
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8EB2_2_04E3C8EB
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39CFE2_2_04E39CFE
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8AF2_2_04E3C8AF
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E384B12_2_04E384B1
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E328B82_2_04E328B8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E348BE2_2_04E348BE
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8892_2_04E3C889
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E320992_2_04E32099
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E37A982_2_04E37A98
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3566C2_2_04E3566C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E36A722_2_04E36A72
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8772_2_04E3C877
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E37E782_2_04E37E78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E36C352_2_04E36C35
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E390002_2_04E39000
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E334682_2_04E33468
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E355D32_2_04E355D3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3A3A22_2_04E3A3A2
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3DBA92_2_04E3DBA9
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E357AD2_2_04E357AD
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E389982_2_04E38998
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E393782_2_04E39378
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3155A2_2_04E3155A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E321362_2_04E32136
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3553A2_2_04E3553A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39D032_2_04E39D03
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39D082_2_04E39D08
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E31D102_2_04E31D10
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE07F02_2_05AE07F0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE59C82_2_05AE59C8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0D102_2_05AE0D10
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE77102_2_05AE7710
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE53702_2_05AE5370
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE37402_2_05AE3740
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1CC02_2_05AE1CC0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7E082_2_05AE7E08
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE86482_2_05AE8648
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0DBB2_2_05AE0DBB
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7DF82_2_05AE7DF8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE63CC2_2_05AE63CC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0DCD2_2_05AE0DCD
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE07D32_2_05AE07D3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE37312_2_05AE3731
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE77032_2_05AE7703
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE11152_2_05AE1115
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1EA32_2_05AE1EA3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE72BC2_2_05AE72BC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1CB02_2_05AE1CB0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7E872_2_05AE7E87
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0E932_2_05AE0E93
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0CF92_2_05AE0CF9
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE08D62_2_05AE08D6
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0A2A2_2_05AE0A2A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE24142_2_05AE2414
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0E6A2_2_05AE0E6A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5A1482_2_05B5A148
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5AED02_2_05B5AED0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5EAD02_2_05B5EAD0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5BE502_2_05B5BE50
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5B2502_2_05B5B250
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004551A03_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0044F67C3_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004551A05_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0044F67C5_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_004679767_2_00467976
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_0046D13D7_2_0046D13D
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004551A08_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0044F67C8_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00467F3C appears 33 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004264A4 appears 36 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00413454 appears 32 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004145C0 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403648 appears 113 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040274C appears 38 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00404AA4 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0041E128 appears 32 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0041E918 appears 36 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403A14 appears 131 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040674C appears 64 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403E90 appears 53 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004043D8 appears 69 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040699C appears 52 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004060E8 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040C464 appears 72 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004043B4 appears 309 times
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exe, 00000000.00000002.199905445.0000000002766000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000000.00000002.198869393.00000000006B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exeBinary or memory string: OriginalFilename vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.468977606.00000000059E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000003.00000002.224468567.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000005.00000002.226401330.0000000002170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exeBinary or memory string: OriginalFilename vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000007.00000001.223556134.00000000004D6000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/2@1/1
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00420390 GetLastError,FormatMessageA,0_2_00420390
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B1E6 AdjustTokenPrivileges,2_2_0233B1E6
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B1AF AdjustTokenPrivileges,2_2_0233B1AF
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408D0A GetDiskFreeSpaceA,0_2_00408D0A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00416B24 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00416B24
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: DOC04121993.exeVirustotal: Detection: 69%
                      Source: DOC04121993.exeReversingLabs: Detection: 81%
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exeJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exeJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.2240000.3.unpack
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 7.2.DOC04121993.exe.2290000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack
                      .NET source code contains potential unpackerShow sources
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.400000.0.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.9e0000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.DOC04121993.exe.21b0000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.DOC04121993.exe.2290000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00446CD4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00447320 push 004473ADh; ret 0_2_004473A5
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00426024 push 00426050h; ret 0_2_00426048
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00428038 push 00428064h; ret 0_2_0042805C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00466080 push 004660ACh; ret 0_2_004660A4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C090 push 0040C20Ch; ret 0_2_0040C204
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0046C150 push 0046C1C6h; ret 0_2_0046C1BE
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00450134 push 0045019Fh; ret 0_2_00450197
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C20E push 0040C27Fh; ret 0_2_0040C277
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C210 push 0040C27Fh; ret 0_2_0040C277
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004482CC push ecx; mov dword ptr [esp], edx0_2_004482D0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004262DC push 00426308h; ret 0_2_00426300
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C2EE push 0040C31Ch; ret 0_2_0040C314
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C2F0 push 0040C31Ch; ret 0_2_0040C314
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0041A288 push ecx; mov dword ptr [esp], edx0_2_0041A28A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00410324 push 00410385h; ret 0_2_0041037D
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00410388 push 00410589h; ret 0_2_00410581
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0042646C push 00426498h; ret 0_2_00426490
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044856C push ecx; mov dword ptr [esp], edx0_2_00448570
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00470574 push 004705A0h; ret 0_2_00470598
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0041058C push 004106D0h; ret 0_2_004106C8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040660A push 0040665Dh; ret 0_2_00406655
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040660C push 0040665Dh; ret 0_2_00406655
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004106A4 push 004106D0h; ret 0_2_004106C8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043277C push 004327A8h; ret 0_2_004327A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004067DC push 00406808h; ret 0_2_00406800
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004327EC push 00432818h; ret 0_2_00432810
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004327B4 push 004327E0h; ret 0_2_004327D8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044884C push 00448878h; ret 0_2_00448870
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00406854 push 00406880h; ret 0_2_00406878
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043285C push 00432888h; ret 0_2_00432880
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00432824 push 00432850h; ret 0_2_00432848

                      Boot Survival:

                      barindex
                      Drops VBS files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to dropped file
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045AB54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004266A4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00442778
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004415EC IsIconic,GetCapture,0_2_004415EC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00457C48
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00441E94
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_0045AB54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,3_2_004266A4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_00442778
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004415EC IsIconic,GetCapture,3_2_004415EC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,3_2_00457C48
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_00441E94
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,5_2_0045AB54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,5_2_004266A4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,5_2_00442778
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004415EC IsIconic,GetCapture,5_2_004415EC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,5_2_00457C48
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,5_2_00441E94
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,8_2_004266A4
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,8_2_00442778
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,8_2_0045AB54
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,8_2_0045B248
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,8_2_0045B2F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004415EC IsIconic,GetCapture,8_2_004415EC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,8_2_00457C48
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,8_2_00441E94
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00446CD4
                      Source: C:\Users\user\Desktop\DOC04121993.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004368080_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004368083_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004368085_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004368088_2_00436808
                      Delayed program exit foundShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 1_2_00A305C0 Sleep,ExitProcess,1_2_00A305C0
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_003F05C0 Sleep,ExitProcess,6_2_003F05C0
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0045A128
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,3_2_0045A128
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,5_2_0045A128
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,8_2_0045A128
                      Source: C:\Users\user\Desktop\DOC04121993.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004368088_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30000s >= -30000s