Loading ...

Play interactive tourEdit tour

Windows Analysis Report MV THALASSINI (EX- OCEAN LORD).doc.exe

Overview

General Information

Sample Name:MV THALASSINI (EX- OCEAN LORD).doc.exe
Analysis ID:532732
MD5:4b70ce8188818a2af2012d5873d41427
SHA1:1ecffa65239684b2dd8aad9af1f492abae1abf9d
SHA256:36db74b3ae7fee8c2acb570837c772d62274a96c4767ba01cab7540942d2788f
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • MV THALASSINI (EX- OCEAN LORD).doc.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 5580 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5612 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5312 cmdline: cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fffik.exe (PID: 4808 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • fffik.exe (PID: 5272 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 1184 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5200 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5704 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    23.0.fffik.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine|base64offset|contains: Lp$4, Image: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, NewProcessName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, OriginalFileName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentCommandLine: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" , ParentImage: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentProcessId: 6652, ProcessCommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ProcessId: 6148

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.fffik.exe.3e30390.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeVirustotal: Detection: 61%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMetadefender: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeReversingLabs: Detection: 62%
                      Machine Learning detection for sampleShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeJoe Sandbox ML: detected
                      Source: 23.0.fffik.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.2.fffik.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://KSLlwF.com
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: fffik.exe, 0000000F.00000002.553845655.00000000011DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F92500_2_027F9250
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F04480_2_027F0448
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F39910_2_027F3991
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F042B0_2_027F042B
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F500400_2_04F50040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F555680_2_04F55568
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F5B0650_2_04F5B065
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F6195D0_2_04F6195D
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656E80_2_04F656E8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F700400_2_04F70040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F793A80_2_04F793A8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F500060_2_04F50006
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656D80_2_04F656D8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F700070_2_04F70007
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018046A07_2_018046A0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018045BA7_2_018045BA
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_0180D2617_2_0180D261
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119044815_2_01190448
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119926015_2_01199260
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119042A15_2_0119042A
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F556815_2_052F5568
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F004015_2_052F0040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052FB06515_2_052FB065
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0530195D15_2_0530195D
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056E815_2_053056E8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531004015_2_05310040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053193A815_2_053193A8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531939815_2_05319398
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531000715_2_05310007
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119925015_2_01199250
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F000615_2_052F0006
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056D815_2_053056D8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B46A023_2_012B46A0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B45B023_2_012B45B0
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293118049.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.408760139.00000000029D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.398680316.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400547432.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: C:\Users\user\AppData\Roaming\fffikJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@22/2@0/0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_01
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Binary or sample is protected by dotNetProtectorShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe.10.drString found in binary or memory: dotNetProtector
                      Source: fffik.exe.10.drString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CC8 push eax; ret 0_2_000B5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B7BD7 push edi; ret 0_2_000B7BD8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B43AF push edx; iretd 0_2_000B43B0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CBF push eax; ret 0_2_000B5CC0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F60642 pushfd ; retf 0_2_04F60645
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F7E123 push ecx; iretd 0_2_04F7E126
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F75393 push es; retf 0_2_04F75425
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CC8 push eax; ret 7_2_000B5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B7BD7 push edi; ret 7_2_000B7BD8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B43AF push edx; iretd 7_2_000B43B0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CBF push eax; ret 7_2_000B5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CBF push eax; ret 15_2_00BB5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB43AF push edx; iretd 15_2_00BB43B0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB7BD7 push edi; ret 15_2_00BB7BD8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CC8 push eax; ret 15_2_00BB5CC9
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05300642 pushfd ; retf 15_2_05300645
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531E123 push ecx; iretd 15_2_0531E126
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05315393 push es; retf 15_2_05315425
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CBF push eax; ret 23_2_00BB5CC0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB43AF push edx; iretd 23_2_00BB43B0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB7BD7 push edi; ret 23_2_00BB7BD8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CC8 push eax; ret 23_2_00BB5CC9
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: doc.exeStatic PE information: MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5372Thread sleep time: -75000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 3752Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 2541 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 7309 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep count: 76 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep time: -76000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 2541Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 7309Jump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: fffik.exe.10.drBinary or memory string: vmware
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory written: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMemory written: C:\Users\user\AppData\Roaming\fffik\fffik.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /fJump to behavior
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
                      Source: Ya