Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MV THALASSINI (EX- OCEAN LORD).doc.exe

Overview

General Information

Sample Name:MV THALASSINI (EX- OCEAN LORD).doc.exe
Analysis ID:532732
MD5:4b70ce8188818a2af2012d5873d41427
SHA1:1ecffa65239684b2dd8aad9af1f492abae1abf9d
SHA256:36db74b3ae7fee8c2acb570837c772d62274a96c4767ba01cab7540942d2788f
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • MV THALASSINI (EX- OCEAN LORD).doc.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 5580 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5612 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5312 cmdline: cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fffik.exe (PID: 4808 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • fffik.exe (PID: 5272 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 1184 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5200 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5704 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    23.0.fffik.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine|base64offset|contains: Lp$4, Image: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, NewProcessName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, OriginalFileName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentCommandLine: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" , ParentImage: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentProcessId: 6652, ProcessCommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ProcessId: 6148

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.fffik.exe.3e30390.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeVirustotal: Detection: 61%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMetadefender: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeReversingLabs: Detection: 62%
                      Machine Learning detection for sampleShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeJoe Sandbox ML: detected
                      Source: 23.0.fffik.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.2.fffik.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://KSLlwF.com
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: fffik.exe, 0000000F.00000002.553845655.00000000011DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F92500_2_027F9250
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F04480_2_027F0448
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F39910_2_027F3991
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F042B0_2_027F042B
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F500400_2_04F50040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F555680_2_04F55568
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F5B0650_2_04F5B065
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F6195D0_2_04F6195D
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656E80_2_04F656E8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F700400_2_04F70040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F793A80_2_04F793A8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F500060_2_04F50006
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656D80_2_04F656D8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F700070_2_04F70007
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018046A07_2_018046A0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018045BA7_2_018045BA
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_0180D2617_2_0180D261
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119044815_2_01190448
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119926015_2_01199260
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119042A15_2_0119042A
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F556815_2_052F5568
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F004015_2_052F0040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052FB06515_2_052FB065
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0530195D15_2_0530195D
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056E815_2_053056E8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531004015_2_05310040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053193A815_2_053193A8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531939815_2_05319398
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531000715_2_05310007
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119925015_2_01199250
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F000615_2_052F0006
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056D815_2_053056D8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B46A023_2_012B46A0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B45B023_2_012B45B0
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293118049.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.408760139.00000000029D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.398680316.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400547432.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: C:\Users\user\AppData\Roaming\fffikJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@22/2@0/0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_01
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Binary or sample is protected by dotNetProtectorShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe.10.drString found in binary or memory: dotNetProtector
                      Source: fffik.exe.10.drString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CC8 push eax; ret 0_2_000B5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B7BD7 push edi; ret 0_2_000B7BD8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B43AF push edx; iretd 0_2_000B43B0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CBF push eax; ret 0_2_000B5CC0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F60642 pushfd ; retf 0_2_04F60645
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F7E123 push ecx; iretd 0_2_04F7E126
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F75393 push es; retf 0_2_04F75425
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CC8 push eax; ret 7_2_000B5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B7BD7 push edi; ret 7_2_000B7BD8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B43AF push edx; iretd 7_2_000B43B0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CBF push eax; ret 7_2_000B5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CBF push eax; ret 15_2_00BB5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB43AF push edx; iretd 15_2_00BB43B0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB7BD7 push edi; ret 15_2_00BB7BD8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CC8 push eax; ret 15_2_00BB5CC9
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05300642 pushfd ; retf 15_2_05300645
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531E123 push ecx; iretd 15_2_0531E126
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05315393 push es; retf 15_2_05315425
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CBF push eax; ret 23_2_00BB5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB43AF push edx; iretd 23_2_00BB43B0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB7BD7 push edi; ret 23_2_00BB7BD8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CC8 push eax; ret 23_2_00BB5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: doc.exeStatic PE information: MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5372Thread sleep time: -75000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 3752Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 2541 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 7309 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep count: 76 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep time: -76000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 2541Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 7309Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: fffik.exe.10.drBinary or memory string: vmware
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory written: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMemory written: C:\Users\user\AppData\Roaming\fffik\fffik.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation221Scheduled Task/Job1Process Injection112Masquerading11Input Capture1Security Software Discovery231Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion151Security Account ManagerVirtualization/Sandbox Evasion151SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information111Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532732 Sample: MV  THALASSINI (EX- OCEAN L... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AgentTesla 2->46 48 7 other signatures 2->48 7 MV  THALASSINI (EX- OCEAN LORD).doc.exe 3 2->7         started        10 fffik.exe 2 2->10         started        process3 signatures4 50 Injects a PE file into a foreign processes 7->50 12 cmd.exe 3 7->12         started        15 cmd.exe 1 7->15         started        18 MV  THALASSINI (EX- OCEAN LORD).doc.exe 2 7->18         started        52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        24 fffik.exe 10->24         started        process5 file6 38 C:\Users\user\AppData\Roaming\...\fffik.exe, PE32 12->38 dropped 40 C:\Users\user\...\fffik.exe:Zone.Identifier, ASCII 12->40 dropped 26 conhost.exe 12->26         started        56 Uses schtasks.exe or at.exe to add and modify task schedules 15->56 28 conhost.exe 15->28         started        30 schtasks.exe 1 15->30         started        32 conhost.exe 20->32         started        34 schtasks.exe 1 20->34         started        36 conhost.exe 22->36         started        signatures7 process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MV THALASSINI (EX- OCEAN LORD).doc.exe62%VirustotalBrowse
                      MV THALASSINI (EX- OCEAN LORD).doc.exe43%MetadefenderBrowse
                      MV THALASSINI (EX- OCEAN LORD).doc.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      MV THALASSINI (EX- OCEAN LORD).doc.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe62%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe43%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      23.0.fffik.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                      7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      23.2.fffik.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://KSLlwF.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSfffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://KSLlwF.comfffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipMV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:532732
                      Start date:02.12.2021
                      Start time:16:51:45
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 6s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:31
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@22/2@0/0
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 82
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 92.122.145.220
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:53:40Task SchedulerRun new task: Nanias path: "C:\Users\user\AppData\Roaming\fffik\fffik.exe"
                      16:53:46API Interceptor420x Sleep call for process: MV THALASSINI (EX- OCEAN LORD).doc.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASN

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Process:C:\Windows\SysWOW64\cmd.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):915456
                      Entropy (8bit):6.078026359267813
                      Encrypted:false
                      SSDEEP:12288:t/jY038PO0YCNkMBPf/WRjLkflW1lagKsPFg:Jsm0YcdfgLkflW1lTFg
                      MD5:4B70CE8188818A2AF2012D5873D41427
                      SHA1:1ECFFA65239684B2DD8AAD9AF1F492ABAE1ABF9D
                      SHA-256:36DB74B3AE7FEE8C2ACB570837C772D62274A96C4767BA01CAB7540942D2788F
                      SHA-512:FEE0BB6584F39AF192EC72F59AFA17F40BC18E7F26B0E9D16842765FC2AB76FBF0046CFCE8918109646CA2E420E0700D07CC16C1D18DD8F977D437E045665C0E
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Virustotal, Detection: 62%, Browse
                      • Antivirus: Metadefender, Detection: 43%, Browse
                      • Antivirus: ReversingLabs, Detection: 62%
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................V........... ........@.. .......................@......2.....@.....................................K.......^R................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...^R.......T..................@..@.reloc....... ......................@..B.......................H...................;.......R..........................................:.(......}....*.~'...~&...r.?.p.{.........(....(....~(...(....*..(....*:.(......}....*.~'...~&...r.?.p.{.........(....(....~(...(....*2~.....(....*..(....*.*..{....*..{....*:~.......(....*..(......ee. .... .(..aiY.#....Ai..#....Ai..X(....Ze}....*..{....*:~.......(....*6~......(....*..{....*..{....*..{....*..{....*..(......#.....,..#.....,..X(....f.Ye}....*..{....*..{....*..{....*.~....(....*.~....(....*..
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe:Zone.Identifier
                      Process:C:\Windows\SysWOW64\cmd.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:modified
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview: [ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):6.078026359267813
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:MV THALASSINI (EX- OCEAN LORD).doc.exe
                      File size:915456
                      MD5:4b70ce8188818a2af2012d5873d41427
                      SHA1:1ecffa65239684b2dd8aad9af1f492abae1abf9d
                      SHA256:36db74b3ae7fee8c2acb570837c772d62274a96c4767ba01cab7540942d2788f
                      SHA512:fee0bb6584f39af192ec72f59afa17f40bc18e7f26b0e9d16842765fc2ab76fbf0046cfce8918109646ca2e420e0700d07cc16c1d18dd8f977d437e045665c0e
                      SSDEEP:12288:t/jY038PO0YCNkMBPf/WRjLkflW1lagKsPFg:Jsm0YcdfgLkflW1lTFg
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................V........... ........@.. .......................@......2.....@................................

                      File Icon

                      Icon Hash:7cd8d8d8e6eeee66

                      Static PE Info

                      General

                      Entrypoint:0x47bf0e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x619EA6F9 [Wed Nov 24 20:56:25 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:v4.0.30319
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7bec00x4b.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x6525e.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x79f140x7a000False0.605622838755data6.72090618067IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rsrc0x7c0000x6525e0x65400False0.292563657407data4.7662742472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      EDPENLIGHTENEDAPPINFOID0x7c5300x2data
                      EDPPERMISSIVEAPPINFOID0x7c5340x2data
                      GOOGLEUPDATEAPPLICATIONCOMMANDS0x7c5380x4data
                      RT_ICON0x7c53c0xa068data
                      RT_ICON0x865a40x668data
                      RT_ICON0x86c0c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2340981752, next used block 136
                      RT_ICON0x86ef40x128GLS_BINARY_LSB_FIRST
                      RT_ICON0x8701c0x12428data
                      RT_ICON0x994440xea8data
                      RT_ICON0x9a2ec0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15003106, next used block 15526627
                      RT_ICON0x9ab940x568GLS_BINARY_LSB_FIRST
                      RT_ICON0x9b0fc0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                      RT_ICON0xdd1240x25a8data
                      RT_ICON0xdf6cc0x10a8data
                      RT_ICON0xe07740x468GLS_BINARY_LSB_FIRST
                      RT_GROUP_ICON0xe0bdc0xaedata
                      RT_VERSION0xe0c8c0x3e8data
                      RT_MANIFEST0xe10740x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Version Infos

                      DescriptionData
                      LegalCopyright 2007-2011 Otaku Software Pty Ltd
                      InternalNameDeskSpace
                      FileVersion1.5.8.14
                      CompanyNameOtaku Software Pty Ltd
                      LegalTrademarksDeskSpace is a trademark of Otaku Software Pty Ltd
                      CommentsDeskSpace 1.5.8.14 Trial
                      ProductNameDeskSpace
                      ProductVersion1.5.8.14
                      FileDescriptionDeskSpace
                      OriginalFilenameDeskSpace15814TrialSetup.exe
                      Translation0x0000 0x04b0

                      Network Behavior

                      No network behavior found

                      Code Manipulations

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652 Parent PID: 5276

                      General

                      Start time:16:52:44
                      Start date:02/12/2021
                      Path:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
                      Imagebase:0xb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Chronological Activities

                      Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148 Parent PID: 6652

                      General

                      Start time:16:53:32
                      Start date:02/12/2021
                      Path:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Imagebase:0xb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 5580 Parent PID: 6652

                      General

                      Start time:16:53:36
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 5312 Parent PID: 6652

                      General

                      Start time:16:53:36
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 6736 Parent PID: 5580

                      General

                      Start time:16:53:37
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 1880 Parent PID: 5312

                      General

                      Start time:16:53:37
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: schtasks.exe PID: 5612 Parent PID: 5580

                      General

                      Start time:16:53:38
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0x10000
                      File size:185856 bytes
                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: fffik.exe PID: 4808 Parent PID: 664

                      General

                      Start time:16:53:40
                      Start date:02/12/2021
                      Path:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xbb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 62%, Virustotal, Browse
                      • Detection: 43%, Metadefender, Browse
                      • Detection: 62%, ReversingLabs
                      Reputation:low

                      Chronological Activities

                      Analysis Process: fffik.exe PID: 5272 Parent PID: 4808

                      General

                      Start time:16:54:35
                      Start date:02/12/2021
                      Path:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xbb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 1184 Parent PID: 4808

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 5704 Parent PID: 4808

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 2584 Parent PID: 1184

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 3892 Parent PID: 5704

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Analysis Process: schtasks.exe PID: 5200 Parent PID: 1184

                      General

                      Start time:16:54:45
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0x10000
                      File size:185856 bytes
                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Chronological Activities

                      Disassembly

                      Code Analysis

                      Reset < >

                        Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652 Parent PID: 5276 MV THALASSINI (EX- OCEAN LORD).doc.exeCOMMON

                        Executed Functions

                        Function 027F042B, Relevance: 7.5, Strings: 4, Instructions: 2478COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: ;Vh$:NZ~$_O2m$c;Vh
                        • API String ID: 0-1630639295
                        • Opcode ID: 2cc107a3dabd901cc6b1a3eb419d34ebd0acfa9a600c7a7142d7fe9d16eb732c
                        • Instruction ID: 967c32e8d5dc54671bd9fc6e5d65fd4aa07f2d13570afe0f408a79f1a021aeb7
                        • Opcode Fuzzy Hash: 2cc107a3dabd901cc6b1a3eb419d34ebd0acfa9a600c7a7142d7fe9d16eb732c
                        • Instruction Fuzzy Hash: AB432571804159CFCB54BFA8E9486EDBBB5FF88305F4149EAD189A6254EF300AACCF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027F0448, Relevance: 7.5, Strings: 4, Instructions: 2466COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: ;Vh$:NZ~$_O2m$c;Vh
                        • API String ID: 0-1630639295
                        • Opcode ID: 8800fe4e7f880a427039670cde8b55c0c4e89f9313b1a539dd0b9437ccf8871e
                        • Instruction ID: c2b20855d5e1eba990aa9a7abeb2184a621d2032b65f296c259dfbfb0a5249f6
                        • Opcode Fuzzy Hash: 8800fe4e7f880a427039670cde8b55c0c4e89f9313b1a539dd0b9437ccf8871e
                        • Instruction Fuzzy Hash: 7D432571804159CFCB54BFA8E9486EDBBB5FF88305F4149EAD189A6254EF300AACCF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027F3991, Relevance: 7.2, Strings: 2, Instructions: 4652COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: _@$@@t
                        • API String ID: 0-408464218
                        • Opcode ID: a6519f6b0dd0277c6597ce633374eaa24f851d80b420211f3f96313f14121e20
                        • Instruction ID: c78dfbb2457c8250068f4f6ec14857b6b990144f3a16677697a4948db3668e9b
                        • Opcode Fuzzy Hash: a6519f6b0dd0277c6597ce633374eaa24f851d80b420211f3f96313f14121e20
                        • Instruction Fuzzy Hash: 3CA30C70E091288FCB94EF28D985A9CBBB2FB49304F0189E9D54C97355DB346E98CF52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F55568, Relevance: 5.2, Instructions: 5241COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6865b994989d89c12ee25503e8f472967c39077c50ae9ecb6f300ca7274c320b
                        • Instruction ID: 6f3fe5065e2a7768f13635e0b710dd69a72844e558b87129245372dfbf201402
                        • Opcode Fuzzy Hash: 6865b994989d89c12ee25503e8f472967c39077c50ae9ecb6f300ca7274c320b
                        • Instruction Fuzzy Hash: D4B30870E14218CFCB14EF28DD85699BBB6FB88204F4089EAD48CA7754DB386D99CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F793A8, Relevance: 4.4, Instructions: 4438COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dde261d0ccfeaffe245e50436e154f6d91a1b59226594aad362cfdffc28d1b8
                        • Instruction ID: 39cdb92d0c2a923cd35b2fb18b6819a9394b1c30dd89f383300a371e52ce56ec
                        • Opcode Fuzzy Hash: 1dde261d0ccfeaffe245e50436e154f6d91a1b59226594aad362cfdffc28d1b8
                        • Instruction Fuzzy Hash: B7930B70D051288FCB54EF28E985A9DBBB2FF48204F4149EAD44CA7754DB386E98CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F656E8, Relevance: 4.4, Instructions: 4413COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c83468e4bd4d39ea8ec0ed6b1cd7a258bbed13c0f744325165d3f1c48606101
                        • Instruction ID: 44ece60b8d361444cc9223726e4fee3a2c5afa9fa3a3364279036946e55fee3a
                        • Opcode Fuzzy Hash: 5c83468e4bd4d39ea8ec0ed6b1cd7a258bbed13c0f744325165d3f1c48606101
                        • Instruction Fuzzy Hash: 31930970E05128CFCB54EF28E985A9DBBB2FB89204F0149E9D44CA7354DB346E99CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F70040, Relevance: 4.4, Instructions: 4396COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24aa3255d08361bd586b4859cf3f0ff5d8395299862fb7b9abf4e41b75448f12
                        • Instruction ID: 7d0f4a1c41589731cc0e91a75d892b81399cd3835f1bf301c11346cda42cc48d
                        • Opcode Fuzzy Hash: 24aa3255d08361bd586b4859cf3f0ff5d8395299862fb7b9abf4e41b75448f12
                        • Instruction Fuzzy Hash: FE93F870D041288BCB94EF28E985A9DBBB2FB49304F1149E9D44CA7754DF386E98CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027F9250, Relevance: 4.4, Instructions: 4365COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8fa4ce2d251a0b5934687b1e2f08f68204a9ea8463edffdd9647914d7572335d
                        • Instruction ID: 78ae5b79b6ed832e292703eff528ac7186ef95b4854c1787379ab2cc90cddd74
                        • Opcode Fuzzy Hash: 8fa4ce2d251a0b5934687b1e2f08f68204a9ea8463edffdd9647914d7572335d
                        • Instruction Fuzzy Hash: A8930C70D082288FCB64EF29D995A9DBBB2FB88304F0189EDD44897354DB346E99CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F50040, Relevance: 4.3, Instructions: 4314COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d62b036c8bd3d4048b0947695552488c61c965e819a8b15a15a29f35c12d1691
                        • Instruction ID: 9144fbca6e9279be5b3aeb34c3d6ae76a0f320c5f3537614a3c99d69213a4bdf
                        • Opcode Fuzzy Hash: d62b036c8bd3d4048b0947695552488c61c965e819a8b15a15a29f35c12d1691
                        • Instruction Fuzzy Hash: 97931D70D142288FCB54EF29E985A9DBBB2FB88304F0185E9D44C97354DB346E99CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6195D, Relevance: 4.3, Strings: 1, Instructions: 3039COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: D
                        • API String ID: 0-2746444292
                        • Opcode ID: 4360a584ae8e18421c66c69857138af50fdd3b47e943935393e9ad137b134542
                        • Instruction ID: 921e0f4d1a66e43ea82a12b610b8b643d9099881b528ee4f829720ff8eef75a7
                        • Opcode Fuzzy Hash: 4360a584ae8e18421c66c69857138af50fdd3b47e943935393e9ad137b134542
                        • Instruction Fuzzy Hash: 59532E70E04228CFC715EF29E984A9DBBB2FB89204F0185E9D48CA7354DB346E99CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F70007, Relevance: 1.5, Instructions: 1509COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 350eb49c74170762e1ec7f6e240580fb1ad5a6bebd6f5832e955f4d6bcd35707
                        • Instruction ID: a869af81c873edb16785de70b4137deb4b77b95513f24e7b18f04176b59161f4
                        • Opcode Fuzzy Hash: 350eb49c74170762e1ec7f6e240580fb1ad5a6bebd6f5832e955f4d6bcd35707
                        • Instruction Fuzzy Hash: 5CE2C770D04128CBCB94EF29E985A9CBBB2FB49304F1189E9D44CA7354DB386D98CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F50006, Relevance: 1.4, Instructions: 1435COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7e19b3437c3c3e22998819711e16bcb5e784c1a813af2f09aec1562f335f23dc
                        • Instruction ID: ab10d7d817bb0074c244355128fba9ac07eb9fce24198395affe4cc41714343c
                        • Opcode Fuzzy Hash: 7e19b3437c3c3e22998819711e16bcb5e784c1a813af2f09aec1562f335f23dc
                        • Instruction Fuzzy Hash: 0DE2EA70D142288FCB54EF29E989A9CBBB2FB48300F0185E9D44CA7755DB346E99CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C398, Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: $%`l$$%`l
                        • API String ID: 0-2020367237
                        • Opcode ID: d2679fc12d197b848df043e6d7497cc5226ab39cf4998ffb37050100a883aa3a
                        • Instruction ID: c050d50ca601848c54d73fc71a8337f1a5b84e03850d7a09bed98d37a7c23863
                        • Opcode Fuzzy Hash: d2679fc12d197b848df043e6d7497cc5226ab39cf4998ffb37050100a883aa3a
                        • Instruction Fuzzy Hash: A8A12E35A003598FDB14EBA4CD54AEEB7F6EF89304F244525D90AAB264EF30BD46CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C63C, Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: $%`l$$%`l
                        • API String ID: 0-2020367237
                        • Opcode ID: 68a308b53a2c09371fccca4497d52ae6633fdd9c158014e5911d34abb642c598
                        • Instruction ID: 7293f14fdf6bac848d269a92b565703b9d8356f9967c7984d24a6b278fab7933
                        • Opcode Fuzzy Hash: 68a308b53a2c09371fccca4497d52ae6633fdd9c158014e5911d34abb642c598
                        • Instruction Fuzzy Hash: 37412434B003459BEB04EBA4D961B9DB7F6AF85304F214124DA0AAF6A4DF31FD46CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6D691, Relevance: 2.1, Strings: 1, Instructions: 870COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: ,Hgl
                        • API String ID: 0-3683763185
                        • Opcode ID: c1cbbc33230cbcee1bd34633996d6a4d9055ab1c40f194bd293c192d85ab1afb
                        • Instruction ID: b7ef876de6eedc8079152c522151df732955f7d253fc6ab126f8286b97a26201
                        • Opcode Fuzzy Hash: c1cbbc33230cbcee1bd34633996d6a4d9055ab1c40f194bd293c192d85ab1afb
                        • Instruction Fuzzy Hash: D9725F74A04118CBCB44EF78E985BDEB7B2FB88304F1084AAD84897754EF35AD95CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6D6A0, Relevance: 2.1, Strings: 1, Instructions: 869COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: ,Hgl
                        • API String ID: 0-3683763185
                        • Opcode ID: 05c56dd4b3b211a89849430934146bbf7d3f79ffc4516acc7a949a2c67616733
                        • Instruction ID: 49cb553b8264c698dc97867f53db715ee1e81a980af1b35566c030f36bc2d50a
                        • Opcode Fuzzy Hash: 05c56dd4b3b211a89849430934146bbf7d3f79ffc4516acc7a949a2c67616733
                        • Instruction Fuzzy Hash: BB724074A04118CBCB44EF78E985BDEB7B2FB88304F1084AAD84897754EF35AD95CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6B340, Relevance: 1.4, Instructions: 1422COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06bc76944d288b35e2446163c796689267f2e1e267e68fe8157ceb14d2e8c41c
                        • Instruction ID: 3314a2e4124864be93c2f6042a0954d79c283a37e823f2a52d5117320b88be9a
                        • Opcode Fuzzy Hash: 06bc76944d288b35e2446163c796689267f2e1e267e68fe8157ceb14d2e8c41c
                        • Instruction Fuzzy Hash: 80C26C30A05118CFDB04FF78E99969EBBB2FB88304F4085AAD48897754DF386D59CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6B350, Relevance: 1.4, Instructions: 1416COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d504a1333659145cb2439c3b29bb9e7f59251531e6e742063353772fdf510968
                        • Instruction ID: 5ae0aa07725e743f82556fcfa656a1028207aca3c769b24160b1d1b1648334d5
                        • Opcode Fuzzy Hash: d504a1333659145cb2439c3b29bb9e7f59251531e6e742063353772fdf510968
                        • Instruction Fuzzy Hash: 7CC26C30A05118CBDB04FF78ED9969EBBB2FB88300F4085AAD48897754DF386D59CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EAB0, Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: <dl
                        • API String ID: 0-3918720774
                        • Opcode ID: 90e21e649d9a8a81102a8e23fe210a57577cbdb1e63d22f285503b639d574139
                        • Instruction ID: 21e3d401c7d640b8ad3d796e7e3f74fc578679a1323cf4eefcdbd9f0b9d70b53
                        • Opcode Fuzzy Hash: 90e21e649d9a8a81102a8e23fe210a57577cbdb1e63d22f285503b639d574139
                        • Instruction Fuzzy Hash: 73413471704324AFC705AF68CC45AAEBBBBEFC9214B44886AD40ACB381DF34DC0587A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5E6A0, Relevance: 1.1, Instructions: 1134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6c03bf834079f9bf021b7e761ee395af90d106ecbce94d8beafc47d9ba2700a
                        • Instruction ID: be55db3b71f6a47ba5a0087770b4f88544943cbb96a73f114df4e6eca751ba83
                        • Opcode Fuzzy Hash: c6c03bf834079f9bf021b7e761ee395af90d106ecbce94d8beafc47d9ba2700a
                        • Instruction Fuzzy Hash: F2927F70A04258CFCB04EF78E95479EBBB5FB88204F4189AAD449E7394DB389C59CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027FEBB9, Relevance: .7, Instructions: 689COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 979c417517ed5272e67169a8b99389c3717e517d36bd26b7a749c924d2798351
                        • Instruction ID: 1887456246b99bab6d4cdfba1f4838997a40be6620eff74a85e01523edd854ef
                        • Opcode Fuzzy Hash: 979c417517ed5272e67169a8b99389c3717e517d36bd26b7a749c924d2798351
                        • Instruction Fuzzy Hash: CC72EC70D01219CFCB54EFA8E9546DD7BF2EF81315F0099A9C0096F6A4EB346E498FA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027FEBC8, Relevance: .7, Instructions: 685COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408417622.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 27dc148e7972ffdc4f0de83303ab8706faba5bc5be0b9e2016ce9895221a7cd6
                        • Instruction ID: 7bf571d18698892bf0eab14afe87a9fb73268408528321013663c3c52b78318c
                        • Opcode Fuzzy Hash: 27dc148e7972ffdc4f0de83303ab8706faba5bc5be0b9e2016ce9895221a7cd6
                        • Instruction Fuzzy Hash: 8772FC70D01219CFCB54EFA8E9546DD7BF2EF81315F0099A9C0096F6A4EB346E498FA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5E690, Relevance: .4, Instructions: 390COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1455f03bd47ecf6267e6be35d9d6f51a28f67cb81c1fc2642a2f35d70e264594
                        • Instruction ID: 0d9e2756b53606aa91fefa99fc6ca7d4db5b56cfc8eed83f70a1d7c55afb1cb9
                        • Opcode Fuzzy Hash: 1455f03bd47ecf6267e6be35d9d6f51a28f67cb81c1fc2642a2f35d70e264594
                        • Instruction Fuzzy Hash: 2AE12F70E04218CBCB04EFB8E98579DBBB5FB88304F4089AAD445A7354EB386D59CB65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5F800, Relevance: .4, Instructions: 351COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 416f5ed2bf3d5712f2126ced20259827e33421344fdc84ec9f25dc2c8b6b7548
                        • Instruction ID: 7341712dfb87f149a7a11b4b3f2aead6ed9c639a9c83fe30c6e2cf1cf707bcc4
                        • Opcode Fuzzy Hash: 416f5ed2bf3d5712f2126ced20259827e33421344fdc84ec9f25dc2c8b6b7548
                        • Instruction Fuzzy Hash: A3C15C71A08205CBC704FF78E95966EBAE6EBC4214F41496DE484C7794EF389C1EC7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EC98, Relevance: .3, Instructions: 272COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 488aad8a3b1b7b67706bd2097ce77231f914dfb231b8e5c7225637f459f3a20b
                        • Instruction ID: 17f0d65eb93e46e61f78faee61ab5e207851fa7a91486ab7b4a4397f361db240
                        • Opcode Fuzzy Hash: 488aad8a3b1b7b67706bd2097ce77231f914dfb231b8e5c7225637f459f3a20b
                        • Instruction Fuzzy Hash: E1910731B002259BCB15EF78C5986BE77A3EFC4254B948929D40A8F394EF34ED06CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5E098, Relevance: .2, Instructions: 235COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e2b6af5ef1d93bdfe363bf3c5216fa2dade45469dae320672ee86d61310d372
                        • Instruction ID: 8caf68b16338266b6aa91a78bb0309c2672075a4cf67e6c5db558d33146c8f48
                        • Opcode Fuzzy Hash: 6e2b6af5ef1d93bdfe363bf3c5216fa2dade45469dae320672ee86d61310d372
                        • Instruction Fuzzy Hash: BF91CB31B002298FEF14EB64DC54AAD77B2BF48704F104069DA05AB7B5DB75AD42CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6B011, Relevance: .2, Instructions: 199COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f061206dc354b65bd495199babd9a0f61b8c2ea053799ad39745339b9e8b3f03
                        • Instruction ID: 5dfc2cc32436f19658c1ffe5af8c120889ccacc53e36fad08d8addb46b306227
                        • Opcode Fuzzy Hash: f061206dc354b65bd495199babd9a0f61b8c2ea053799ad39745339b9e8b3f03
                        • Instruction Fuzzy Hash: DCA1EC78604105DFD744EF64E8929ADBBB2FB89314764C559DC059B399CB32AD03DF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6B020, Relevance: .2, Instructions: 192COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a16fe4c10e1af8b3e46c3a0fc9246ef6ca359b7177b89aff11d64f61367e506a
                        • Instruction ID: 215af99ecb79e09bcd2613cca2f58ad3ad7e223d48b56875f1a5bc8128bc21a6
                        • Opcode Fuzzy Hash: a16fe4c10e1af8b3e46c3a0fc9246ef6ca359b7177b89aff11d64f61367e506a
                        • Instruction Fuzzy Hash: EA91DA78604105EFD784EF64E8929ADBBB2FB89314B64C559DC059B398CB32AD03DF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EC89, Relevance: .2, Instructions: 165COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a027530521edea59e4052b09ba5e1d016e5374686bf7186fa8bc27b3a990a5d
                        • Instruction ID: 4f82d12e198cbeec20dcb3dba3bf09f3b5854bdf1810d5b0da46da41206a6f55
                        • Opcode Fuzzy Hash: 3a027530521edea59e4052b09ba5e1d016e5374686bf7186fa8bc27b3a990a5d
                        • Instruction Fuzzy Hash: 6B51D535B003159BCB25EF64C9987BDB7B3EF84254F948929D4068F390DF34A946CB82
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D998, Relevance: .1, Instructions: 127COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 247a53913ae36223977491d3f15f5a16be11373e0236ae44927acefc387f7517
                        • Instruction ID: a0badad3adbf223b58a1ee9a0fc0f9186f5e1e5e8b649d7717c283024524c837
                        • Opcode Fuzzy Hash: 247a53913ae36223977491d3f15f5a16be11373e0236ae44927acefc387f7517
                        • Instruction Fuzzy Hash: 72418134B151549FEB14DFAAD894EAE7BF5AF89704F1080A5EA01EB372CA31EC01CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C184, Relevance: .1, Instructions: 119COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daad7183df9cece73d51078d44ded8a353af8402bf97314c33e7ddc947b7cf99
                        • Instruction ID: a28ec3cd5c83c0fd2b74489ab4de261afa6ee3892b0cd0be258a31a69acb07cd
                        • Opcode Fuzzy Hash: daad7183df9cece73d51078d44ded8a353af8402bf97314c33e7ddc947b7cf99
                        • Instruction Fuzzy Hash: DD410171A012058FEB14EFB5D850BEDBBB5EF48314F149469DA06BB3A0DB30B842CB65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C108, Relevance: .1, Instructions: 113COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18f7a6fb978e41c240d79643cc10135a96e997467386d2e51b9c40823aa286de
                        • Instruction ID: 5d8b10eba2433e7c044a133347cb31a0cd068fb8e0562040e0045c089ec51159
                        • Opcode Fuzzy Hash: 18f7a6fb978e41c240d79643cc10135a96e997467386d2e51b9c40823aa286de
                        • Instruction Fuzzy Hash: 27410E71A012458FEB14EFB9D850AED7BB5EF48318F049469DA06F7271EB30A942CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D710, Relevance: .1, Instructions: 110COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f8ba919dbaaed6b20716b8d2dbe7d85e3e92bf54b5c00e41281d9ce769e3b56
                        • Instruction ID: e4977a41385f168a241cd7820fa7a4367a223c32c12aa1e6b95a4ee124651caa
                        • Opcode Fuzzy Hash: 7f8ba919dbaaed6b20716b8d2dbe7d85e3e92bf54b5c00e41281d9ce769e3b56
                        • Instruction Fuzzy Hash: CF413231E012058FEB18EFB9D850AEDBBB5EF49314F149069DA05F7361DB30A946CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6F050, Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 104e87d5da43d7917d1f600c199767f36c56d3d64d778e56ecbe72fcd65a0345
                        • Instruction ID: f38a7a6fdf50e16e1fcb7fdc7115050d14c2775a7acef5494164c1fb9d49d4df
                        • Opcode Fuzzy Hash: 104e87d5da43d7917d1f600c199767f36c56d3d64d778e56ecbe72fcd65a0345
                        • Instruction Fuzzy Hash: 60313072E0450A9BDB05DE98D9456BF73B7AB84344F144025D416EB384EF31E9028FA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6E7C5, Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 492b7f0fca4a38711a6c81e6cb61092aacd22d56660843c6f929d84492c7511e
                        • Instruction ID: 57caca9c937b6a17d7b78a444510b5e73c83dc031b8d973e3a07aae97947ec03
                        • Opcode Fuzzy Hash: 492b7f0fca4a38711a6c81e6cb61092aacd22d56660843c6f929d84492c7511e
                        • Instruction Fuzzy Hash: 4D31D07BE14208DF9B55DFA88D480AE7BB6EF85210B0485AAD405CB355EB34EA03CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5DA1E, Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e7f14be7ab6f34afb6921930c9d0f2ff33d60f655f1aee5fbdf6be5c7ed583f
                        • Instruction ID: 59c2c19a666bdb6951e67ddaa6c08c929aef2fee5f8696a856a83c4630a35639
                        • Opcode Fuzzy Hash: 6e7f14be7ab6f34afb6921930c9d0f2ff33d60f655f1aee5fbdf6be5c7ed583f
                        • Instruction Fuzzy Hash: A7315E34B151148FEB00DFAAD484EAD7BF5AF89704F1040A9EA01DB272DA71EC42CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6F200, Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a34ddf2939b702f8860b2802f28d584a770cf7fd589b3672932624b3fdb65d1
                        • Instruction ID: ba9b4ba9043aa73dc94560e0cd82c697f005a972c1cac559240c4598541b600c
                        • Opcode Fuzzy Hash: 1a34ddf2939b702f8860b2802f28d584a770cf7fd589b3672932624b3fdb65d1
                        • Instruction Fuzzy Hash: 8021F3357142108FC705DB38E418A9977EAEF89715B1584E9E40ACF3A1CF31EC06CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6F040, Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98d85b116be7eedaaaebc49dc0c11bc71521bcb479d9833cdd035d169995006d
                        • Instruction ID: b28e585008515d65b1f79680156060a31fae70746d5b477c5e32b72b12070b48
                        • Opcode Fuzzy Hash: 98d85b116be7eedaaaebc49dc0c11bc71521bcb479d9833cdd035d169995006d
                        • Instruction Fuzzy Hash: A421A472E0450A5FD706DEA8D9406FFB7F6AFC5344F14416AD506EB384EB34AA028BB1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EB78, Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5b71ac4965dd48a21a8c6e27b6fb6ebfb241a573172b797993af356e9f1818a
                        • Instruction ID: bc1a0c588fccf87ede417bf1a1c31ee12e51c05ecd5a9cbe41773f1369d80640
                        • Opcode Fuzzy Hash: f5b71ac4965dd48a21a8c6e27b6fb6ebfb241a573172b797993af356e9f1818a
                        • Instruction Fuzzy Hash: 1021F6707103746BC745ABB948955AEBAFBDFC6158790896EC00ACB351EF349C058791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0271D4C4, Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408172503.000000000271D000.00000040.00000001.sdmp, Offset: 0271D000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8fe8ddec32e367cf89c387d8e7089a2618b3458d3f98c88247698a8a02490d6
                        • Instruction ID: 161787cab871ad1b0ec30cd1ea47ca98f84c76b6e513cd77d5e5bf6d4d300958
                        • Opcode Fuzzy Hash: d8fe8ddec32e367cf89c387d8e7089a2618b3458d3f98c88247698a8a02490d6
                        • Instruction Fuzzy Hash: D6212571500240DFDB25DF58D9C4B26BF65FF88328F248969E8051B246C336D846CFA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0272D01C, Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408212295.000000000272D000.00000040.00000001.sdmp, Offset: 0272D000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4d2a9e4d33715edbb6979d7c06f1e8cd24cc4f45ce889cffd42ca5d370960042
                        • Instruction ID: dfa3c58952de42bdb901c5b2949dd266fd39db79d5f614cf4c71d960483ae262
                        • Opcode Fuzzy Hash: 4d2a9e4d33715edbb6979d7c06f1e8cd24cc4f45ce889cffd42ca5d370960042
                        • Instruction Fuzzy Hash: 0821F571604244DFDB34CF54D5C4B16BB65FB84324F24C969D8095B366C336D84BCA61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0272D007, Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408212295.000000000272D000.00000040.00000001.sdmp, Offset: 0272D000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd99370dd672c933a655777b5d78e3e92c49d706186e4feac20bd181ea344aa4
                        • Instruction ID: 43d1cbcdc8eaa760f77613396b78b8c9a267f7b603012d873e417f59fdb00164
                        • Opcode Fuzzy Hash: bd99370dd672c933a655777b5d78e3e92c49d706186e4feac20bd181ea344aa4
                        • Instruction Fuzzy Hash: 3A2150755093C08FDB22CF24D594715BF71EB46214F28C5DAD8498B6A7C33AD44ACB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6E9E2, Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4bf808b1854f4cf12618c6ebcf24a4eda6b76206f7f22e837fd9709105fc3e15
                        • Instruction ID: 8b1754c85de77ed77e0806068f6ba9e0c53b42d44f62415fccacdbe061271085
                        • Opcode Fuzzy Hash: 4bf808b1854f4cf12618c6ebcf24a4eda6b76206f7f22e837fd9709105fc3e15
                        • Instruction Fuzzy Hash: 9F11AC77E00218AF9B59CFA8C8454DEBBF6FF85610B04C1AAD015DB318EB309B46CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0271D4BF, Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.408172503.000000000271D000.00000040.00000001.sdmp, Offset: 0271D000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5abe34f8d7c3517c77c3c979f49bf2a8ca302f326995acd92678dee7d62ceae1
                        • Instruction ID: 9fd9a978f1dca47273c3aedd2abe66a2205cecc8d43b114a75271db229c0289b
                        • Opcode Fuzzy Hash: 5abe34f8d7c3517c77c3c979f49bf2a8ca302f326995acd92678dee7d62ceae1
                        • Instruction Fuzzy Hash: DD11AC76404280CFDB16CF14D9C4B16BF72FB88328F2886A9D8450B656C33AD45ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EAA0, Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e827fa6db3dae95827aab1b0d2dc42b6bb3b2a28664a1f53dc8a857666697b1a
                        • Instruction ID: c9da59fdd459c8aa226fb47f59f9909c16c990f16747aab56b7c900e9083cf23
                        • Opcode Fuzzy Hash: e827fa6db3dae95827aab1b0d2dc42b6bb3b2a28664a1f53dc8a857666697b1a
                        • Instruction Fuzzy Hash: 4F11C876304204AFDB01CF55DC41E6E77AAEF88314F048065ED098B391DB35DC16CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5E62F, Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e75d91b17a20f2f0c0580fc5eea065f8af930ca7cb43fa19d427ad70a119b776
                        • Instruction ID: d670228dfcea320b65334b344751b8aadd7ccc12d956b6a34dfbda1a95de8fee
                        • Opcode Fuzzy Hash: e75d91b17a20f2f0c0580fc5eea065f8af930ca7cb43fa19d427ad70a119b776
                        • Instruction Fuzzy Hash: F8F044353091505FC345E659DCD1865F7AAEBC921436884AED80CCB396CE22ED07C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D7F9, Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d64e7e7b10f2a985eb8800e1725a36db92ba7ad63565ab95f89b3aafdc270d1
                        • Instruction ID: 5ecaed6bd54ff9f7bcd7003eeebe0d715d98202bc64435996a07dd25beb1c534
                        • Opcode Fuzzy Hash: 7d64e7e7b10f2a985eb8800e1725a36db92ba7ad63565ab95f89b3aafdc270d1
                        • Instruction Fuzzy Hash: FA01FF31B002449BEB04EBB5C851BED7BB5EF48315F148069EA06B72A4CA31B842DB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F7FC52, Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 708486c3e773163379b4f49ff2b1aef993bea15334338217324a716e8ec42d4c
                        • Instruction ID: 057971afaa59f9fe76fe6b02cc94a4b90f1adaf398e0639981feb60ca6a8aa84
                        • Opcode Fuzzy Hash: 708486c3e773163379b4f49ff2b1aef993bea15334338217324a716e8ec42d4c
                        • Instruction Fuzzy Hash: 1DF04FB1D002599FDB55DF7888056EE7FF1AB89300F10442AD946E7250E7781A02CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D657, Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3105069588f24ff7228973219c990a32d651db2039c61671c6e553242fa94668
                        • Instruction ID: 335ec4bf0448ca4f712fd28231d71ebf742f2e4592cc71a49e4fbbfd1b5b28df
                        • Opcode Fuzzy Hash: 3105069588f24ff7228973219c990a32d651db2039c61671c6e553242fa94668
                        • Instruction Fuzzy Hash: 20E092717242100FEB18BA35DC944AA3BAADF87594304456BEA06CB363CD15EC078791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5E640, Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de723153f6ad4aee05fa055548dfdadbd03c894c898c93281446bbcd50775c55
                        • Instruction ID: 17320c0ed6eb9d2c6822ffa75771dea515d7728b8f37339c252be1cd3954bda7
                        • Opcode Fuzzy Hash: de723153f6ad4aee05fa055548dfdadbd03c894c898c93281446bbcd50775c55
                        • Instruction Fuzzy Hash: FDF0AC393040505F8694EA5DE9D5926F7EAEBCD228328C47EA80DCB395DE72EC07C690
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F7FC60, Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af80097195c0e0bffbd8f99829efa327c61a6d39de36c63e7791aa2373fbc822
                        • Instruction ID: a03131a9c63a7065ba68a66ee6f682028d7db7f70d86536bb7b96cbc4096456c
                        • Opcode Fuzzy Hash: af80097195c0e0bffbd8f99829efa327c61a6d39de36c63e7791aa2373fbc822
                        • Instruction Fuzzy Hash: 87F03071D002299FDB54EF798C046AE7EF5AB88300F10442AC905F7250DB741642CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C127, Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 620bb746f8fec3ce2f0c40ab0c3baf82ddbf3bef684d06cfacec4a88cd133de6
                        • Instruction ID: bd0a6366e8c1316da4198e083f3d69dbd501cc74df304a0f531f6b20158b3eb0
                        • Opcode Fuzzy Hash: 620bb746f8fec3ce2f0c40ab0c3baf82ddbf3bef684d06cfacec4a88cd133de6
                        • Instruction Fuzzy Hash: 38E048767013505B6624BA79DC1486A379DEF4556C300845AEF07CB371DD15FC43C695
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5C194, Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1ff2112b8ed3c8fd29b4e48a2113acab342840aba256d097c316047fd67d74f
                        • Instruction ID: 7b76691e1a213e8c5c595f43c3f42dc1c5ff8e6ffe3ecf8406737d7ce17508ef
                        • Opcode Fuzzy Hash: c1ff2112b8ed3c8fd29b4e48a2113acab342840aba256d097c316047fd67d74f
                        • Instruction Fuzzy Hash: A8E04F717112245B6A14FA798C2486B379DEF86568300885AAE0ACB360CE20FC03C6D5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6E9A0, Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1196e938f9459ab0bdbe950f07d77695be60e2c0edc3b42650fada70bcb9a042
                        • Instruction ID: facf5f12f041a9f51e1562b62ad7432470e5882044f3e11deb371a4f18d52871
                        • Opcode Fuzzy Hash: 1196e938f9459ab0bdbe950f07d77695be60e2c0edc3b42650fada70bcb9a042
                        • Instruction Fuzzy Hash: 46E02B73F192601F876A0A1A74554E97FB9DFC6AA13050177E00EC7241ED148E0783D2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6FA38, Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37ceeca10258666e6a822bb37072bed0e585ffd0de57fabe5bb6e41d06486a46
                        • Instruction ID: f5d0975c1c3d33812665f423e2560ca530ba4a30ca651b8bb79efea1be37ad34
                        • Opcode Fuzzy Hash: 37ceeca10258666e6a822bb37072bed0e585ffd0de57fabe5bb6e41d06486a46
                        • Instruction Fuzzy Hash: 65E06876A146504FCB264B30A4193AE7FA1EF890217094A97EC9AC3281CE385E0783A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F7FB58, Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411250148.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24f26ed5f4c3a470e8987aefb64dd09273323be61c5d28f1200555ac5081936e
                        • Instruction ID: 52b30c431bbecd74773fb16591ba23ba344e7f00b3770d76b6fa60ce79e2a522
                        • Opcode Fuzzy Hash: 24f26ed5f4c3a470e8987aefb64dd09273323be61c5d28f1200555ac5081936e
                        • Instruction Fuzzy Hash: 70D012723112141B971425BB6C4889B769FDACA579394163AF219C7391DD65D80287A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6F2A8, Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bab051ce29c0dcd9bce430bec8b3d8ed67b6b4f49869c20bb9f0b0fe0ef8c4d
                        • Instruction ID: d2decae9550f34b0f78ed1c8c9a4a9aa4dd470a37698aadac09f51cbbceed068
                        • Opcode Fuzzy Hash: 1bab051ce29c0dcd9bce430bec8b3d8ed67b6b4f49869c20bb9f0b0fe0ef8c4d
                        • Instruction Fuzzy Hash: 44E09230610204CBC310DF58E148B8677EAEF41728F5449ADD00A8F661CBB2FD05CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6E9B0, Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f848c9ba27c05eb18ee5f31817f218b565cc02644cb755a4155771098cb47dd
                        • Instruction ID: 7f0e9be1158851322dc4b058f5134c9fec6a6ecdab8aefee70b5ac7bdfa61e7a
                        • Opcode Fuzzy Hash: 7f848c9ba27c05eb18ee5f31817f218b565cc02644cb755a4155771098cb47dd
                        • Instruction Fuzzy Hash: 16D05E33B14434A70A281A1F64194BE7AAEEBC9A62388413BF50BC3244EF649C0783D2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D630, Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d53a04ad86ec448bba8d79419f09823ced341229f944e713c457354d9f7315dc
                        • Instruction ID: 8ece5f5b07eb9e6e406f326ad0056855d5f7ca0655ec2aa1f33e023e7cff71cc
                        • Opcode Fuzzy Hash: d53a04ad86ec448bba8d79419f09823ced341229f944e713c457354d9f7315dc
                        • Instruction Fuzzy Hash: A1C012A27195910BE709315524500EC2351CD931983890196C50A8A153E80E190B4355
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6EC60, Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4026b1fac2927924dc51124c7ff06eb841ace93851e344eacf6145fe93653209
                        • Instruction ID: ee63fef8661df865ffd3d1b9001aa469af29a01cea86c6d866514d0cc3089355
                        • Opcode Fuzzy Hash: 4026b1fac2927924dc51124c7ff06eb841ace93851e344eacf6145fe93653209
                        • Instruction Fuzzy Hash: DAD0129E96D7C02DE32FD3348CA4286BFE41E6B52879D8ACEC4C55A097C429614FD352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5D640, Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 90ff4871412a1c5348c3cc61d134c37b0e16806e0a01a611505e63c031432807
                        • Instruction ID: 7168dc741e01515c0eb405841018a6e9142b52428221ecd6555f2a77e50a442b
                        • Opcode Fuzzy Hash: 90ff4871412a1c5348c3cc61d134c37b0e16806e0a01a611505e63c031432807
                        • Instruction Fuzzy Hash: 3AB09262324638131909319928104AD728D898686C244016AEA0A9B240CD892D1202EA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5DC67, Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e531997daa0713aaec22071b23a6172684b540c73bdc3535e69d436f4a55e857
                        • Instruction ID: cf4ccc37f0f8bb8a9cd6f14947fd383c83e42bc34ca6a363673251b20a030812
                        • Opcode Fuzzy Hash: e531997daa0713aaec22071b23a6172684b540c73bdc3535e69d436f4a55e857
                        • Instruction Fuzzy Hash: 49C09B312844458FC7509B78D485BF43B72DF46215F1441F4E04D8BB33C6275846DF00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F5DC68, Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36a73b55962f7c836d5a24c53c17d84e767600cbd15d71d9b6ab7baad97f4a31
                        • Instruction ID: ed77db1dde1a883b708ef03b4f4f498b0672bb2598e32f87d4a0722df86ece20
                        • Opcode Fuzzy Hash: 36a73b55962f7c836d5a24c53c17d84e767600cbd15d71d9b6ab7baad97f4a31
                        • Instruction Fuzzy Hash: 01B092312845098FC310AB68D848BA033AAAF86605F0440F0E14C8BB32DA22B8409B44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04F6E6C4, Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.411181891.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67aeaf7f40954cd86c1b1061cd23322417cfb4cc6650632879ed92b41b55cf0d
                        • Instruction ID: 85673f2dd130c55fece99bea6b1a9775f0de5c0834d703a4bca7d48fcc0f6f63
                        • Opcode Fuzzy Hash: 67aeaf7f40954cd86c1b1061cd23322417cfb4cc6650632879ed92b41b55cf0d
                        • Instruction Fuzzy Hash: 94A0021F66501583B51977A965590EA1105FB511AC3C07D62E143542119D49BA035567
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 04F5B065, Relevance: 4.1, Strings: 3, Instructions: 318COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.411149506.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID: @^.$F$G
                        • API String ID: 0-3521089782
                        • Opcode ID: 759b91525e133cad3692c80f42a68493befe678305288921f0afa9f835b25f57
                        • Instruction ID: 07ec4add8cf4361d57863522d7653900f518c05e70869bf0214b86ff3dc61e40
                        • Opcode Fuzzy Hash: 759b91525e133cad3692c80f42a68493befe678305288921f0afa9f835b25f57
                        • Instruction Fuzzy Hash: C2C1A6A184E3C14FE313877898686957FB0AF53128B1F52DBC5E6CF4E3D258584AC366
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148 Parent PID: 6652 MV THALASSINI (EX- OCEAN LORD).doc.exeCOMMON

                        Executed Functions

                        Function 01806902, Relevance: 6.1, APIs: 4, Instructions: 147threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 018069A0
                        • GetCurrentThread.KERNEL32 ref: 018069DD
                        • GetCurrentProcess.KERNEL32 ref: 01806A1A
                        • GetCurrentThreadId.KERNEL32 ref: 01806A73
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 7234fede73632c17e0b877be973e08905ded91de45abe40338e6824a00bdc1c8
                        • Instruction ID: 2fe6484cc89cb2258c32f3937f1cb8238f8db81734cac90e2a83fa22dd3ef8bd
                        • Opcode Fuzzy Hash: 7234fede73632c17e0b877be973e08905ded91de45abe40338e6824a00bdc1c8
                        • Instruction Fuzzy Hash: 3F51BCB09047888FDB15CFA9C988BDEBFF1EF49314F24849AD044A72A1D7345888CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01806940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 018069A0
                        • GetCurrentThread.KERNEL32 ref: 018069DD
                        • GetCurrentProcess.KERNEL32 ref: 01806A1A
                        • GetCurrentThreadId.KERNEL32 ref: 01806A73
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 2a9dd22f574498fbf988c1708a3d4d9e79db092fa6bbb338b45683bfc2fff373
                        • Instruction ID: 0f9e31472c56efc58fe5fd467fa872144fc3301ee4da32850693d8d756d9dc47
                        • Opcode Fuzzy Hash: 2a9dd22f574498fbf988c1708a3d4d9e79db092fa6bbb338b45683bfc2fff373
                        • Instruction Fuzzy Hash: 155156B4900649CFEB54CFAAC988BDEBBF4EF48314F208459E009A73A0D7749984CF61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01805084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018051A2
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 37bb9abd371438a642237f66cd078aadaca48264bb8918f3bdbe04831ae39352
                        • Instruction ID: fa24320ee2c25f966716811b8a44a3d6c45562bac7870e19cdaa5b48de0e482b
                        • Opcode Fuzzy Hash: 37bb9abd371438a642237f66cd078aadaca48264bb8918f3bdbe04831ae39352
                        • Instruction Fuzzy Hash: C951D0B1D00209DFDF15CF99C884ADEBBB5FF88314F24852AE819AB250D7759945CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01805090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018051A2
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 55eb805ad7e522acc458c0cbcd703d716da76dd6b06ea2dc00880c5590c1aa08
                        • Instruction ID: 017e5fb9571b60878f99c3872c9ac306c779cfbd2eb59b8d021a47e3e819998b
                        • Opcode Fuzzy Hash: 55eb805ad7e522acc458c0cbcd703d716da76dd6b06ea2dc00880c5590c1aa08
                        • Instruction Fuzzy Hash: 4541CEB1D10309EFDF15CF99C884ADEBBB5BF88314F24852AE819AB250D7749945CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01807780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 01807F01
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 51071f8388452f045eee26e7698819a6bbc733891200ead1160be13ca22a4432
                        • Instruction ID: 33bd583f95529cd6145b9901a1ff9c244021e75cdbd3ffaadd3c1cd51007faa8
                        • Opcode Fuzzy Hash: 51071f8388452f045eee26e7698819a6bbc733891200ead1160be13ca22a4432
                        • Instruction Fuzzy Hash: 6D416CB4A00309CFDB55CF99C888AAAFBF5FF88314F148459E519AB361C730A941CFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01806B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01806BEF
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: c67ff5492a4124e7f3dd42f369b12d14322ea51d01e2e6d6e3c96b5081bc8624
                        • Instruction ID: 03b0fec8355db217e9f45ff3565203be665d36e03905cd2e4ed16f98876c312c
                        • Opcode Fuzzy Hash: c67ff5492a4124e7f3dd42f369b12d14322ea51d01e2e6d6e3c96b5081bc8624
                        • Instruction Fuzzy Hash: 7021E2B5D00209DFDB10CFA9D984AEEBBF8FB48324F14842AE914A3350D774A955CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01806B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01806BEF
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 67384a3a731210b2688b10ad40ce785e4a56c336e8afe8fcafef9867f82c4e74
                        • Instruction ID: ad0cc6c15f969f0d75f56bdd6d3cb62e01a57d19899ce39028f777d07afb83c8
                        • Opcode Fuzzy Hash: 67384a3a731210b2688b10ad40ce785e4a56c336e8afe8fcafef9867f82c4e74
                        • Instruction Fuzzy Hash: 8E21F3B5D00208EFDB10CFA9D984ADEBBF8FB48324F14841AE914A3350D774A954CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0180BDE9, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • RtlEncodePointer.NTDLL(00000000), ref: 0180BE72
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: EncodePointer
                        • String ID:
                        • API String ID: 2118026453-0
                        • Opcode ID: 647ec06587dd5d03ce7fc2e55b3aa9425cff2a4115d6473a55b64cfe59d1076c
                        • Instruction ID: 73f62a62be3395e37d81fb35cbe784f169bb8e394238569e7dda3422ed27e048
                        • Opcode Fuzzy Hash: 647ec06587dd5d03ce7fc2e55b3aa9425cff2a4115d6473a55b64cfe59d1076c
                        • Instruction Fuzzy Hash: 0821AC76A043898FDB51DFA9C94838EBFF8FB09314F14846AD548E7281C7389944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0180BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • RtlEncodePointer.NTDLL(00000000), ref: 0180BE72
                        Memory Dump Source
                        • Source File: 00000007.00000002.561376136.0000000001800000.00000040.00000001.sdmp, Offset: 01800000, based on PE: false
                        Similarity
                        • API ID: EncodePointer
                        • String ID:
                        • API String ID: 2118026453-0
                        • Opcode ID: 622a14d7c267a8e54021d102820a011f54cfd1373908f482861c98a34b79e535
                        • Instruction ID: 8ffa93fe773de04d94a7d396d41347ef63289007bf67d974c69852978528a6d3
                        • Opcode Fuzzy Hash: 622a14d7c267a8e54021d102820a011f54cfd1373908f482861c98a34b79e535
                        • Instruction Fuzzy Hash: 42116A75A007498FDB60DFA9C94879EBBF8FB44314F20842AD509E7641C739A944CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Analysis Process: fffik.exe PID: 4808 Parent PID: 664 fffik.exeCOMMON

                        Executed Functions

                        Function 053193A8, Relevance: 4.4, Instructions: 4438COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70c3bf0e646007eb2e8c3e8d0e324b94c88cb913e42d5404c3777c1e49386c8c
                        • Instruction ID: 8aff4573800fd429b96d6552415a2a45923f9cf1ee6fb42dff9dfb8d8d31fe82
                        • Opcode Fuzzy Hash: 70c3bf0e646007eb2e8c3e8d0e324b94c88cb913e42d5404c3777c1e49386c8c
                        • Instruction Fuzzy Hash: A9931A70D052288FCB14EF28D985A98BBB6FF88304F0149EAD448A7754DF346E98DF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05310040, Relevance: 4.4, Instructions: 4396COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b2081d243a28cb17dac62f3f63c47c55233d7d1211b505475317befee4d157f6
                        • Instruction ID: 1dddcc84408cd4a8e1e9f7ff5821097e9c9339b3007168826198d1b6bcd9a537
                        • Opcode Fuzzy Hash: b2081d243a28cb17dac62f3f63c47c55233d7d1211b505475317befee4d157f6
                        • Instruction Fuzzy Hash: 01930670D152288FCB54EF28E985A98BBF2FB89304F0149E9D448A7354DF346E98CF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05310007, Relevance: 1.5, Instructions: 1501COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b825519f904ac2fc83bd88e4073ed3c88cc99bb08d8a73bc2082c196a73f2a95
                        • Instruction ID: 504a07c05d037281fb1f7fad0af8d99d2260831ad72483b0cce1479e80858b53
                        • Opcode Fuzzy Hash: b825519f904ac2fc83bd88e4073ed3c88cc99bb08d8a73bc2082c196a73f2a95
                        • Instruction Fuzzy Hash: 33E21774D052288FCB54EF28E985A98BBF2FB49304F0189E9D448A7354DF346E98CF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05319398, Relevance: 1.5, Instructions: 1489COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f16fff4aaf3921fb0b902a9670f3f818fdf440b9a163343b4e4b826e447c38c
                        • Instruction ID: 0ff63dfc432447f0401a4396e8aadb7badbe8e2370ddad69eaad19bee5e6d3c7
                        • Opcode Fuzzy Hash: 5f16fff4aaf3921fb0b902a9670f3f818fdf440b9a163343b4e4b826e447c38c
                        • Instruction Fuzzy Hash: 3DE2F874D012288FCB14EF29E985A9CBBB2FF48304F0149EAD448A7754DB346E98DF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0119EBBB, Relevance: .7, Instructions: 688COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.553662607.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 988385981343152b0bd0f2f5425b279c045dde754d762eec07a57e18cbda05f5
                        • Instruction ID: 41bd02368d76bfe7b78ae081145b5de6eab4398fa768071d30d9662ff4e9f3d1
                        • Opcode Fuzzy Hash: 988385981343152b0bd0f2f5425b279c045dde754d762eec07a57e18cbda05f5
                        • Instruction Fuzzy Hash: 93720C3190061ACFCB48FFB4E88569DBBF1FF91209F00496990196F768EB30AD458FA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0531FB0C, Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfd219a0d7aa051f6acc266cc67091ae845f019744478eb9a83c6869341519f8
                        • Instruction ID: 0119ca7e63a3e5e39511b1d49912e2b313db44ccf4b826f3eb4e0fe213f0b366
                        • Opcode Fuzzy Hash: dfd219a0d7aa051f6acc266cc67091ae845f019744478eb9a83c6869341519f8
                        • Instruction Fuzzy Hash: FF11322220E3C04FC30707791C249A23FB99E9722531E06EBD596CB1E3D8284C1AC376
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0531FC53, Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 03e81639c308834c08c93ca9eba6aaa549caf1adb8c9056ef5aca511267b07c6
                        • Instruction ID: 20b3da3f3f5f3d3131a168fdf08e68de58b2c8824dfae74dc9fcca047b5a7a42
                        • Opcode Fuzzy Hash: 03e81639c308834c08c93ca9eba6aaa549caf1adb8c9056ef5aca511267b07c6
                        • Instruction Fuzzy Hash: F0F081B1D142199FCF09DFB489457FEBFF5AB88700F14442AD809E7340DB7409419BA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0531FC60, Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8d25e965cb4572528a05059ecbef11ea25bdca6ac34bb76a1604881ab21e0a98
                        • Instruction ID: 9a1ab07b9ff76b4761b0914468011fcfc82228692019755f904d6da5e51ff0ed
                        • Opcode Fuzzy Hash: 8d25e965cb4572528a05059ecbef11ea25bdca6ac34bb76a1604881ab21e0a98
                        • Instruction Fuzzy Hash: 8CF03A71E542199FDB58EFB98804BAEBEF5AB88300F14452AC909F7340DB740A409BE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0531FB58, Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000F.00000002.556686713.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6fa166c3e14ba3904eca8c0aa1322850ad472c3a887be2da87fe34ee1b9f01a5
                        • Instruction ID: 8edafd759b6ec3c09e75440e2109d7e0a776559eb3a0cf0de90801710ae51d8a
                        • Opcode Fuzzy Hash: 6fa166c3e14ba3904eca8c0aa1322850ad472c3a887be2da87fe34ee1b9f01a5
                        • Instruction Fuzzy Hash: 4DD05B323153141B862825BE6C5C85B7BCEDECA675314067EE31AC73C1DD759C4147E1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions