Loading ...

Play interactive tourEdit tour

Windows Analysis Report DOCS.exe

Overview

General Information

Sample Name:DOCS.exe
Analysis ID:452541
MD5:8e2aa51f45393d980a4d9b20947976b6
SHA1:44742c0e7752ece4ed49c40d0f1b4e893c291005
SHA256:02e6972eec66f1f2b9898fa662d59c1f47856f180dad385d766399ecaf763f5b
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • DOCS.exe (PID: 4992 cmdline: 'C:\Users\user\Desktop\DOCS.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
    • DOCS.exe (PID: 5928 cmdline: C:\Users\user\Desktop\DOCS.exe MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • NXLun.exe (PID: 5372 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
    • NXLun.exe (PID: 5388 cmdline: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • NXLun.exe (PID: 1660 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.DOCS.exe.4045b60.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.DOCS.exe.4045b60.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.DOCS.exe.4085b80.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.DOCS.exe.4085b80.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.DOCS.exe.4045b60.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 23 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeReversingLabs: Detection: 52%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOCS.exeVirustotal: Detection: 41%Perma Link
                      Source: DOCS.exeReversingLabs: Detection: 52%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: DOCS.exeJoe Sandbox ML: detected
                      Source: 4.2.DOCS.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.NXLun.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: DOCS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOCS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: DOCS.exe, NXLun.exe, 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp
                      Source: global trafficTCP traffic: 192.168.2.7:49738 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.7:49738 -> 208.91.199.225:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://hFHvHh.com
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: DOCS.exe, 00000004.00000002.506101125.0000000002EC6000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: DOCS.exe, 00000004.00000002.506391286.0000000002EED000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506031808.0000000002EC0000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.505417799.0000000002E89000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506468128.0000000002EF5000.00000004.00000001.sdmpString found in binary or memory: https://wiYfivfC8nSIDolSjnz.org
                      Source: DOCS.exe, 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, NXLun.exe, 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: NXLun.exe, 00000011.00000002.336441928.0000000000BF8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052D3F501_2_052D3F50
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C86F91_2_052C86F9
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C854401_2_02C85440
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C85A881_2_02C85A88
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C83F681_2_02C83F68
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C854311_2_02C85431
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C83F581_2_02C83F58
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F530234_2_00F53023
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F507D04_2_00F507D0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F56B684_2_00F56B68
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F51F884_2_00F51F88
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F572C04_2_00F572C0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F59C504_2_00F59C50
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F5CFD84_2_00F5CFD8
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F8A2084_2_00F8A208
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F856A04_2_00F856A0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD47A04_2_00FD47A0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD47904_2_00FD4790
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD47724_2_00FD4772
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2D68817_2_04D2D688
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2685017_2_04D26850
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D26FF817_2_04D26FF8
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D26FE817_2_04D26FE8
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E647A018_2_02E647A0
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E63E5818_2_02E63E58
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E6477218_2_02E64772
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E6473018_2_02E64730
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C543120_2_030C5431
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C5A8820_2_030C5A88
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C3F5820_2_030C3F58
                      Source: DOCS.exeBinary or memory string: OriginalFilename vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.241023078.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.247879758.00000000052C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.243031996.0000000003E8C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameufAxLJHDduVRtbIELqoQRnLFzE.exe4 vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.496448083.00000000007B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.510065671.0000000005FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.496583189.0000000000B58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameufAxLJHDduVRtbIELqoQRnLFzE.exe4 vs DOCS.exe
                      Source: DOCS.exeBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOCS.exe, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: DOCS.exe, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: NXLun.exe.4.dr, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: NXLun.exe.4.dr, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 4.0.DOCS.exe.6e0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 4.0.DOCS.exe.6e0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 17.0.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 17.0.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 17.2.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 17.2.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 4.2.DOCS.exe.6e0000.1.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 4.2.DOCS.exe.6e0000.1.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: DOCS.exe, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: DOCS.exe, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 18.0.NXLun.exe.a30000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 18.0.NXLun.exe.a30000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\DOCS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCS.exe.logJump to behavior
                      Source: DOCS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DOCS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: DOCS.exeVirustotal: Detection: 41%
                      Source: DOCS.exeReversingLabs: Detection: 52%
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Users\user\Desktop\DOCS.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DOCS.exe 'C:\Users\user\Desktop\DOCS.exe'
                      Source: C:\Users\user\Desktop\DOCS.exeProcess created: C:\Users\user\Desktop\DOCS.exe C:\Users\user\Desktop\DOCS.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\Desktop\DOCS.exeProcess created: C:\Users\user\Desktop\DOCS.exe C:\Users\user\Desktop\DOCS.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: DOCS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DOCS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: DOCS.exe, NXLun.exe, 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp
                      Source: DOCS.exeStatic PE information: 0x91B5E3D7 [Thu Jun 20 04:11:03 2047 UTC]
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C513D pushfd ; retf 1_2_052C5143
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C4D87 push ebx; iretd 1_2_052C4D88
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C936D push es; iretd 1_2_052C936E
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C76F5 push ss; retf 1_2_052C7892
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C8C032 push edx; retf 1_2_02C8C02A
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D29092 push E0E8CE8Bh; ret 17_2_04D2909D
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2E9C2 pushad ; ret 17_2_04D2E9C9
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D265E3 push 2400025Eh; retf 17_2_04D265F1
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2EE73 push ebp; retf 17_2_04D2EE78
                      Source: C:\Users\user\Desktop\DOCS.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeWindow / User API: threadDelayed 1070Jump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeWindow / User API: threadDelayed 8785Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWindow / User API: threadDelayed 9549Jump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 1232Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 5072Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 5712Thread sleep count: 1070 > 30