Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MV THALASSINI (EX- OCEAN LORD).doc.exe

Overview

General Information

Sample Name:MV THALASSINI (EX- OCEAN LORD).doc.exe
Analysis ID:532732
MD5:4b70ce8188818a2af2012d5873d41427
SHA1:1ecffa65239684b2dd8aad9af1f492abae1abf9d
SHA256:36db74b3ae7fee8c2acb570837c772d62274a96c4767ba01cab7540942d2788f
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • MV THALASSINI (EX- OCEAN LORD).doc.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 5580 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5612 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5312 cmdline: cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fffik.exe (PID: 4808 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • fffik.exe (PID: 5272 cmdline: C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: 4B70CE8188818A2AF2012D5873D41427)
    • cmd.exe (PID: 1184 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5200 cmdline: schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5704 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              23.0.fffik.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  23.2.fffik.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    23.0.fffik.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, CommandLine|base64offset|contains: Lp$4, Image: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, NewProcessName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, OriginalFileName: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentCommandLine: "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" , ParentImage: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ParentProcessId: 6652, ProcessCommandLine: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe, ProcessId: 6148

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.fffik.exe.3e30390.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "zzlogs@gurnarshipping.com", "Password": "lSeZyYA0", "Host": "smtp.gurnarshipping.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%Perma Link
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeVirustotal: Detection: 61%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMetadefender: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeReversingLabs: Detection: 62%
                      Machine Learning detection for sampleShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeJoe Sandbox ML: detected
                      Source: 23.0.fffik.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.2.fffik.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 23.0.fffik.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://KSLlwF.com
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: fffik.exe, 0000000F.00000002.553845655.00000000011DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b74DAF1E6u002dDA4Fu002d4258u002dB338u002dD3F8DC0870C5u007d/u0039B2327B0u002dE692u002d4D44u002dA519u002d7CC929D70F01.csLarge array initialization: .cctor: array initializer size 11764
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F9250
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F0448
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F3991
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_027F042B
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F50040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F55568
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F5B065
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F6195D
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656E8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F70040
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F793A8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F50006
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F656D8
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F70007
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018046A0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_018045BA
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_0180D261
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_01190448
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_01199260
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0119042A
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F5568
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F0040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052FB065
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0530195D
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056E8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05310040
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053193A8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05319398
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05310007
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_01199250
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_052F0006
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_053056D8
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B46A0
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_012B45B0
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293118049.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.408760139.00000000029D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.398680316.000000000018B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400547432.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGeksPfmjNmKvwLoKoDVVN.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeBinary or memory string: OriginalFilenameDeskSpace15814TrialSetup.exe4 vs MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeVirustotal: Detection: 61%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeMetadefender: Detection: 42%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeReversingLabs: Detection: 62%
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: C:\Users\user\AppData\Roaming\fffikJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@22/2@0/0
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 0.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.4.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.8.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.12.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.0.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.1.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, GetILGenerator.csBase64 encoded string: 'WA8UQltGnzLzQf/J48yVFSYWWAgaO+W7UA/5X0rZTJ2eWAa3ltwpXl1HJtTnnJQOoKAjvvLCuHmRHrJ76cU9OGCsSLQ4MCgLTOLtxYQY3pmtrcoGqnEoY2NvY1nfJ252', 'N46TO75W6q2Y/fUlbDgkfw7X4s1f/nCAaNqwLLKakaJWxiLz9WUNKizMDKB7XPnVynmP5R4B0Rz5hs6/yJYOSftLbraZZL2xK8GvJEm1pLk1rj1A3xNHaUaXbH0wowyz', 'hOLcac4qFn3p4Ml6t8RBCssllSSYbteqcyhlC3TiYSwz8j7DogpYl/yTdHsrAMfVwVL2k6e0tts5EbQpPAosJp8ky8oIq0i1HLu52PYDdbwRwrjv0OJH3nR+LaNSFLhY', 'pacdHMJbpCHckBVSzW3eRA3WqhvN0qFKJYpNJMQh0ctKZQImL0q6yLnnEab+5C9ACMFVfGc3AD70lywfeoIFG0PLE0XJaa2/EXWUMy+3WAe3cY9vjhppm2Ij5nLFe3im', 'HhUoKclqBuVSyweG5y5gxigaB62dAS5ZWXn9SSHEp2hz8q8kuo8wN7sB9l5F5Ix4BofWlxIsVx16sOvIThv5yvo2zrnaR19J59/1MEjQt2Xi4WWQK8nbDlFA7YYeJGlQ', 'JV9ZxqSjJyWDYmg/DJtap9zlqfFM1RUNMcbvtJ79tVU0nGLocWkbbMh/bJfuFdTc8+BUuapHpFssdoyEvr0I5jPM4MMLLWVUhX2Ce3Jsp3aAHT8z8A81kNecjj49pldn', 'uA+7uNAQ1wAGpsFyc5eHtHAlBCwq2drSA1dpDwcnc7b4pjGKyzdWCoW8Fe9osRmmpJR1kfU2GzAORuQcwNd6Mta1wAPqZyaja8TMdF/FA6ldn8PoTdfq4g9xPOpp98Mt'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.b0000.2.unpack, M_ignoreTypeLoadFailures.csBase64 encoded string: 'vWtfOgD2ZB8EgzKAb4rnAW55ya4I72Hj+Z/JImKWFRYaAamhH64zphh7ZIfvIMLw0iTiHKSBR+NkOdfOk3JvF0qe1tjGoS4P3ohmrICz9d3H/aVdcXrUsbWQAi9AW/7o'
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_01
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Binary or sample is protected by dotNetProtectorShow sources
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.407043312.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000000.293020376.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.396661098.00000000000B2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000000.414752204.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 0000000F.00000002.552157957.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exeString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: dotNetProtector
                      Source: fffik.exe, 00000017.00000000.531992107.0000000000BB2000.00000020.00020000.sdmpString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: dotNetProtector
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exeString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: fffik.exe.10.drString found in binary or memory: dotNetProtector
                      Source: fffik.exe.10.drString found in binary or memory: qset_ShowInTaskbarRightCharInvokeMemberInvalidHebrewNumberStreamReaderTextReaderRNGCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderEncoderlpBufferResourceManagerDebuggerManagementObjectSearcherM_innerHasOwnerAbsHelperM_resHelperTimeoutHelperGet_CreatePdbSymbolWriterget_IsPointerS_taskIdCounterBitConverterToLowerLazyInitializerDisableJITcompileOptimizerGetTokenForXorFlooramDesignatorDateSeparatorC_componentSeparatorGet_ListSeparatorManagementObjectEnumeratorGetEnumeratorGetILGeneratorRandomNumberGeneratorOperator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_iCAsM_CheckedForNonCasAbsSystem.DiagnosticsGet_PreserveMemberRefRidsCheckLinktimeDemandsget_LowerBoundsGetMethodsMatchSpecifiedWordsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesSet_ResourcesmebhFnhkAk.resourcesInitializeMethodOverridesGetNumberOfCatchesGet_HasDeclSecuritiesSortPropertiesmdTablesEndCreateTablesbInheritHandlesEnableVisualStylesGenitiveMonthNamesEquals_PropertyNamesEmptyTypesM_ignoreTypeLoadFailureslpThreadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributeslpProcessAttributesDeclSecurityAttributesRfc2898DeriveBytesUnsafeWriteAllBytesInternalWriteAllBytesGetBytesStorageFlagsBindingFlagsM_grantSetSpecialFlagsdwCreationFlagsGetMethodImplementationFlagsSetImplementationFlagsSet_Cor20HeaderFlagsLdapSyntaxFlagsPushMethodArgsEqualsSystem.Windows.FormsUseDigitPrefixInTokensContainsSystem.CollectionsReadFunctionsWriteInstructionsCallingConventionsRestoreOptionsUnclonedLongTimePatternsAllLongDatePatternsCosOverlapsget_CharsGetOptionalCustomModifiersS_activeTaskSchedulersGetParameterssssssaffhdfffffadtrrssssssfaffahfaffasfadtrrssssssfafddhhkftrrsget_IsClassAssemblyBuilderAccesshProcessGetCurrentProcessunsafeUseAddresslpBaseAddresslpAddressGet_PreserveStringsOffsetsReportThreadStatusWrapNonExceptionThrowsAlways
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CC8 push eax; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B7BD7 push edi; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B43AF push edx; iretd
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_000B5CBF push eax; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F60642 pushfd ; retf
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F7E123 push ecx; iretd
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 0_2_04F75393 push es; retf
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CC8 push eax; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B7BD7 push edi; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B43AF push edx; iretd
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeCode function: 7_2_000B5CBF push eax; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CBF push eax; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB43AF push edx; iretd
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB7BD7 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_00BB5CC8 push eax; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05300642 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_0531E123 push ecx; iretd
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 15_2_05315393 push es; retf
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CBF push eax; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB43AF push edx; iretd
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB7BD7 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeCode function: 23_2_00BB5CC8 push eax; ret
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeFile created: \mv thalassini (ex- ocean lord).doc.exe
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\fffik\fffik.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: doc.exeStatic PE information: MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5372Thread sleep time: -75000s >= -30000s
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 3752Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 2541 > 30
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe TID: 5248Thread sleep count: 7309 > 30
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep count: 76 > 30
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exe TID: 5144Thread sleep time: -76000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 2541
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWindow / User API: threadDelayed 7309
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeThread delayed: delay time: 922337203685477
                      Source: fffik.exe.10.drBinary or memory string: vmware
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeMemory written: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeMemory written: C:\Users\user\AppData\Roaming\fffik\fffik.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Users\user\AppData\Roaming\fffik\fffik.exe C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.561753181.0000000001DA0000.00000002.00020000.sdmp, fffik.exe, 00000017.00000002.561468036.0000000001920000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Users\user\AppData\Roaming\fffik\fffik.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\fffik\fffik.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.fffik.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.fffik.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.39b0390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3dfb170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.397b170.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.fffik.exe.3e30390.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 4808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fffik.exe PID: 5272, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation221Scheduled Task/Job1Process Injection112Masquerading11Input Capture1Security Software Discovery231Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion151Security Account ManagerVirtualization/Sandbox Evasion151SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information111Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 532732 Sample: MV  THALASSINI (EX- OCEAN L... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AgentTesla 2->46 48 7 other signatures 2->48 7 MV  THALASSINI (EX- OCEAN LORD).doc.exe 3 2->7         started        10 fffik.exe 2 2->10         started        process3 signatures4 50 Injects a PE file into a foreign processes 7->50 12 cmd.exe 3 7->12         started        15 cmd.exe 1 7->15         started        18 MV  THALASSINI (EX- OCEAN LORD).doc.exe 2 7->18         started        52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        24 fffik.exe 10->24         started        process5 file6 38 C:\Users\user\AppData\Roaming\...\fffik.exe, PE32 12->38 dropped 40 C:\Users\user\...\fffik.exe:Zone.Identifier, ASCII 12->40 dropped 26 conhost.exe 12->26         started        56 Uses schtasks.exe or at.exe to add and modify task schedules 15->56 28 conhost.exe 15->28         started        30 schtasks.exe 1 15->30         started        32 conhost.exe 20->32         started        34 schtasks.exe 1 20->34         started        36 conhost.exe 22->36         started        signatures7 process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MV THALASSINI (EX- OCEAN LORD).doc.exe62%VirustotalBrowse
                      MV THALASSINI (EX- OCEAN LORD).doc.exe43%MetadefenderBrowse
                      MV THALASSINI (EX- OCEAN LORD).doc.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      MV THALASSINI (EX- OCEAN LORD).doc.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe62%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe43%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      23.0.fffik.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                      7.2.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      23.2.fffik.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      23.0.fffik.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.MV THALASSINI (EX- OCEAN LORD).doc.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://KSLlwF.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSfffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://KSLlwF.comfffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, fffik.exe, 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipMV THALASSINI (EX- OCEAN LORD).doc.exe, 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, MV THALASSINI (EX- OCEAN LORD).doc.exe, 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, fffik.exe, 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, fffik.exe, 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:532732
                      Start date:02.12.2021
                      Start time:16:51:45
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 6s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:31
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@22/2@0/0
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 92.122.145.220
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:53:40Task SchedulerRun new task: Nanias path: "C:\Users\user\AppData\Roaming\fffik\fffik.exe"
                      16:53:46API Interceptor420x Sleep call for process: MV THALASSINI (EX- OCEAN LORD).doc.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASN

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Process:C:\Windows\SysWOW64\cmd.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):915456
                      Entropy (8bit):6.078026359267813
                      Encrypted:false
                      SSDEEP:12288:t/jY038PO0YCNkMBPf/WRjLkflW1lagKsPFg:Jsm0YcdfgLkflW1lTFg
                      MD5:4B70CE8188818A2AF2012D5873D41427
                      SHA1:1ECFFA65239684B2DD8AAD9AF1F492ABAE1ABF9D
                      SHA-256:36DB74B3AE7FEE8C2ACB570837C772D62274A96C4767BA01CAB7540942D2788F
                      SHA-512:FEE0BB6584F39AF192EC72F59AFA17F40BC18E7F26B0E9D16842765FC2AB76FBF0046CFCE8918109646CA2E420E0700D07CC16C1D18DD8F977D437E045665C0E
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Virustotal, Detection: 62%, Browse
                      • Antivirus: Metadefender, Detection: 43%, Browse
                      • Antivirus: ReversingLabs, Detection: 62%
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................V........... ........@.. .......................@......2.....@.....................................K.......^R................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...^R.......T..................@..@.reloc....... ......................@..B.......................H...................;.......R..........................................:.(......}....*.~'...~&...r.?.p.{.........(....(....~(...(....*..(....*:.(......}....*.~'...~&...r.?.p.{.........(....(....~(...(....*2~.....(....*..(....*.*..{....*..{....*:~.......(....*..(......ee. .... .(..aiY.#....Ai..#....Ai..X(....Ze}....*..{....*:~.......(....*6~......(....*..{....*..{....*..{....*..{....*..(......#.....,..#.....,..X(....f.Ye}....*..{....*..{....*..{....*.~....(....*.~....(....*..
                      C:\Users\user\AppData\Roaming\fffik\fffik.exe:Zone.Identifier
                      Process:C:\Windows\SysWOW64\cmd.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:modified
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview: [ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):6.078026359267813
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:MV THALASSINI (EX- OCEAN LORD).doc.exe
                      File size:915456
                      MD5:4b70ce8188818a2af2012d5873d41427
                      SHA1:1ecffa65239684b2dd8aad9af1f492abae1abf9d
                      SHA256:36db74b3ae7fee8c2acb570837c772d62274a96c4767ba01cab7540942d2788f
                      SHA512:fee0bb6584f39af192ec72f59afa17f40bc18e7f26b0e9d16842765fc2ab76fbf0046cfce8918109646ca2e420e0700d07cc16c1d18dd8f977d437e045665c0e
                      SSDEEP:12288:t/jY038PO0YCNkMBPf/WRjLkflW1lagKsPFg:Jsm0YcdfgLkflW1lTFg
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................V........... ........@.. .......................@......2.....@................................

                      File Icon

                      Icon Hash:7cd8d8d8e6eeee66

                      Static PE Info

                      General

                      Entrypoint:0x47bf0e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x619EA6F9 [Wed Nov 24 20:56:25 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:v4.0.30319
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7bec00x4b.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x6525e.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x79f140x7a000False0.605622838755data6.72090618067IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rsrc0x7c0000x6525e0x65400False0.292563657407data4.7662742472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      EDPENLIGHTENEDAPPINFOID0x7c5300x2data
                      EDPPERMISSIVEAPPINFOID0x7c5340x2data
                      GOOGLEUPDATEAPPLICATIONCOMMANDS0x7c5380x4data
                      RT_ICON0x7c53c0xa068data
                      RT_ICON0x865a40x668data
                      RT_ICON0x86c0c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2340981752, next used block 136
                      RT_ICON0x86ef40x128GLS_BINARY_LSB_FIRST
                      RT_ICON0x8701c0x12428data
                      RT_ICON0x994440xea8data
                      RT_ICON0x9a2ec0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15003106, next used block 15526627
                      RT_ICON0x9ab940x568GLS_BINARY_LSB_FIRST
                      RT_ICON0x9b0fc0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                      RT_ICON0xdd1240x25a8data
                      RT_ICON0xdf6cc0x10a8data
                      RT_ICON0xe07740x468GLS_BINARY_LSB_FIRST
                      RT_GROUP_ICON0xe0bdc0xaedata
                      RT_VERSION0xe0c8c0x3e8data
                      RT_MANIFEST0xe10740x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Version Infos

                      DescriptionData
                      LegalCopyright 2007-2011 Otaku Software Pty Ltd
                      InternalNameDeskSpace
                      FileVersion1.5.8.14
                      CompanyNameOtaku Software Pty Ltd
                      LegalTrademarksDeskSpace is a trademark of Otaku Software Pty Ltd
                      CommentsDeskSpace 1.5.8.14 Trial
                      ProductNameDeskSpace
                      ProductVersion1.5.8.14
                      FileDescriptionDeskSpace
                      OriginalFilenameDeskSpace15814TrialSetup.exe
                      Translation0x0000 0x04b0

                      Network Behavior

                      No network behavior found

                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6652 Parent PID: 5276

                      General

                      Start time:16:52:44
                      Start date:02/12/2021
                      Path:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe"
                      Imagebase:0xb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.409959224.000000000397A000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: MV THALASSINI (EX- OCEAN LORD).doc.exe PID: 6148 Parent PID: 6652

                      General

                      Start time:16:53:32
                      Start date:02/12/2021
                      Path:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe
                      Imagebase:0xb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400927493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.401381216.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400525770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.400110349.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.559754507.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.562297045.0000000003451000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: cmd.exe PID: 5580 Parent PID: 6652

                      General

                      Start time:16:53:36
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: cmd.exe PID: 5312 Parent PID: 6652

                      General

                      Start time:16:53:36
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd" /c copy "C:\Users\user\Desktop\MV THALASSINI (EX- OCEAN LORD).doc.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: conhost.exe PID: 6736 Parent PID: 5580

                      General

                      Start time:16:53:37
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: conhost.exe PID: 1880 Parent PID: 5312

                      General

                      Start time:16:53:37
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: schtasks.exe PID: 5612 Parent PID: 5580

                      General

                      Start time:16:53:38
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0x10000
                      File size:185856 bytes
                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: fffik.exe PID: 4808 Parent PID: 664

                      General

                      Start time:16:53:40
                      Start date:02/12/2021
                      Path:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xbb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.556122543.0000000003DFA000.00000004.00000001.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 62%, Virustotal, Browse
                      • Detection: 43%, Metadefender, Browse
                      • Detection: 62%, ReversingLabs
                      Reputation:low

                      Analysis Process: fffik.exe PID: 5272 Parent PID: 4808

                      General

                      Start time:16:54:35
                      Start date:02/12/2021
                      Path:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xbb0000
                      File size:915456 bytes
                      MD5 hash:4B70CE8188818A2AF2012D5873D41427
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.533476754.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.536332699.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.561662492.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.559122972.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.534716149.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.535791099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: cmd.exe PID: 1184 Parent PID: 4808

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: cmd.exe PID: 5704 Parent PID: 4808

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\fffik\fffik.exe" "C:\Users\user\AppData\Roaming\fffik\fffik.exe
                      Imagebase:0xd80000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: conhost.exe PID: 2584 Parent PID: 1184

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Analysis Process: conhost.exe PID: 3892 Parent PID: 5704

                      General

                      Start time:16:54:44
                      Start date:02/12/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7f20f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Analysis Process: schtasks.exe PID: 5200 Parent PID: 1184

                      General

                      Start time:16:54:45
                      Start date:02/12/2021
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\user\AppData\Roaming\fffik\fffik.exe'" /f
                      Imagebase:0x10000
                      File size:185856 bytes
                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Disassembly

                      Code Analysis

                      Reset < >