Windows Analysis Report MV THALASSINI (EX- OCEAN LORD).doc.exe

AV Detection:

Found malware configuration

Source: 15.2.fffik.exe.3e30390.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}

Multi AV Scanner detection for submitted file

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Virustotal: Detection: 61%			Perma Link
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Metadefender: Detection: 42%			Perma Link
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Virustotal: Detection: 61%			Perma Link
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Metadefender: Detection: 42%			Perma Link
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	ReversingLabs: Detection: 62%

Machine Learning detection for sample

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 23.0.fffik.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 23.0.fffik.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 23.0.fffik.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 23.2.fffik.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 23.0.fffik.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 23.0.fffik.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

URLs found in memory or binary data

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://KSLlwF.com
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: fffik.exe, 0000000F.00000002.553845655.00000000011DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.cs	Large array initialization: .cctor: array initializer size 11764
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.cs	Large array initialization: .cctor: array initializer size 11764
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.cs	Large array initialization: .cctor: array initializer size 11764

Uses 32bit PE files

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_027F9250		0_2_027F9250
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_027F0448		0_2_027F0448
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_027F3991		0_2_027F3991
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_027F042B		0_2_027F042B
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F50040		0_2_04F50040
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F55568		0_2_04F55568
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F5B065		0_2_04F5B065
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F6195D		0_2_04F6195D
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F656E8		0_2_04F656E8
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F70040		0_2_04F70040
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F793A8		0_2_04F793A8
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F50006		0_2_04F50006
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F656D8		0_2_04F656D8
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F70007		0_2_04F70007
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_018046A0		7_2_018046A0
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_018045BA		7_2_018045BA
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_0180D261		7_2_0180D261
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_01190448		15_2_01190448
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_01199260		15_2_01199260
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_0119042A		15_2_0119042A
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_052F5568		15_2_052F5568
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_052F0040		15_2_052F0040
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_052FB065		15_2_052FB065
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_0530195D		15_2_0530195D
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_053056E8		15_2_053056E8
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_05310040		15_2_05310040
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_053193A8		15_2_053193A8
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_05319398		15_2_05319398
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_05310007		15_2_05310007
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_01199250		15_2_01199250
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_052F0006		15_2_052F0006
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_053056D8		15_2_053056D8
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_012B46A0		23_2_012B46A0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_012B45B0		23_2_012B45B0

Sample file is different than original file name gathered from version info

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293118049.000000000018B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.408760139.00000000029D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.398680316.000000000018B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400547432.0000000000438000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Binary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe

PE file contains strange resources

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample is known by Antivirus

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Virustotal: Detection: 61%
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	Metadefender: Detection: 42%
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	ReversingLabs: Detection: 62%

PE file has an executable .text section and no other executable section

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Creates files inside the user directory

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

File created: C:\Users\user\AppData\Roaming\fffik

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/2@0/0

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

.NET source code contains long base64-encoded strings

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, GetILGenerator.cs	Base64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, M_ignoreTypeLoadFailures.cs	Base64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_01

.NET source code contains calls to encryption/decryption functions

Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: fffik.exe	String found in binary or memory: dotNetProtector
Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: fffik.exe	String found in binary or memory: dotNetProtector
Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmp	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	String found in binary or memory: dotNetProtector
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
Source: fffik.exe.10.dr	String found in binary or memory: dotNetProtector
Source: fffik.exe.10.dr	String found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_000B5CC8 push eax; ret		0_2_000B5CC9
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_000B7BD7 push edi; ret		0_2_000B7BD8
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_000B43AF push edx; iretd		0_2_000B43B0
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_000B5CBF push eax; ret		0_2_000B5CC0
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F60642 pushfd ; retf		0_2_04F60645
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F7E123 push ecx; iretd		0_2_04F7E126
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 0_2_04F75393 push es; retf		0_2_04F75425
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_000B5CC8 push eax; ret		7_2_000B5CC9
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_000B7BD7 push edi; ret		7_2_000B7BD8
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_000B43AF push edx; iretd		7_2_000B43B0
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Code function: 7_2_000B5CBF push eax; ret		7_2_000B5CC0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_00BB5CBF push eax; ret		15_2_00BB5CC0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_00BB43AF push edx; iretd		15_2_00BB43B0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_00BB7BD7 push edi; ret		15_2_00BB7BD8
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_00BB5CC8 push eax; ret		15_2_00BB5CC9
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_05300642 pushfd ; retf		15_2_05300645
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_0531E123 push ecx; iretd		15_2_0531E126
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 15_2_05315393 push es; retf		15_2_05315425
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_00BB5CBF push eax; ret		23_2_00BB5CC0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_00BB43AF push edx; iretd		23_2_00BB43B0
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_00BB7BD7 push edi; ret		23_2_00BB7BD8
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Code function: 23_2_00BB5CC8 push eax; ret		23_2_00BB5CC9

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	File created: \mv thalassini (ex- ocean lord).doc.exe			Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\fffik\fffik.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: doc.exe

Static PE information: MV THALASSINI (EX- OCEAN LORD).doc.exe

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5372	Thread sleep time: -75000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 3752	Thread sleep time: -18446744073709540s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248	Thread sleep count: 2541 > 30			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248	Thread sleep count: 7309 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144	Thread sleep count: 76 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144	Thread sleep time: -76000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Window / User API: threadDelayed 2541			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Window / User API: threadDelayed 7309			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries a list of all running processes

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: fffik.exe.10.dr

Binary or memory string: vmware

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process token adjusted: Debug			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process queried: DebugPort			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Memory written: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Memory written: C:\Users\user\AppData\Roaming\fffik\fffik.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR