Edit tour

Windows Analysis Report
MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Overview

General Information

Sample name:	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Analysis ID:	1585125
MD5:	947e0863ba18f705f90473de4702a0ab
SHA1:	0a7fccf8265a9e268a84c8000912ca07312989fd
SHA256:	72bcc45094526e37f7275f87dff9c249a26242414fe30f13d6d5359e0b7fbcac
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe" MD5: 947E0863BA18F705F90473DE4702A0AB)

MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe" MD5: 947E0863BA18F705F90473DE4702A0AB)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 494126}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf061:$a1: get_encryptedPassword 0xf389:$a2: get_encryptedUsername 0xedea:$a3: get_timePasswordChanged 0xef0b:$a4: get_passwordField 0xf077:$a5: set_encryptedPassword 0x109dc:$a7: get_logins 0x1068d:$a8: GetOutlookPasswords 0x1047f:$a9: StartKeylogger 0x1092c:$a10: KeyLoggerEventArgs 0x104dc:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa4481:$a1: get_encryptedPassword 0xbb2b1:$a1: get_encryptedPassword 0xd1ed1:$a1: get_encryptedPassword 0xa47a9:$a2: get_encryptedUsername 0xbb5d9:$a2: get_encryptedUsername 0xd21f9:$a2: get_encryptedUsername 0xa420a:$a3: get_timePasswordChanged 0xbb03a:$a3: get_timePasswordChanged 0xd1c5a:$a3: get_timePasswordChanged 0xa432b:$a4: get_passwordField 0xbb15b:$a4: get_passwordField 0xd1d7b:$a4: get_passwordField 0xa4497:$a5: set_encryptedPassword 0xbb2c7:$a5: set_encryptedPassword 0xd1ee7:$a5: set_encryptedPassword 0xa5dfc:$a7: get_logins 0xbcc2c:$a7: get_logins 0xd384c:$a7: get_logins 0xa5aad:$a8: GetOutlookPasswords 0xbc8dd:$a8: GetOutlookPasswords 0xd34fd:$a8: GetOutlookPasswords
00000002.00000002.2884087490.00000000028A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3b0:$a1: get_encryptedPassword 0xe64b:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe26e:$a4: get_passwordField 0xe3c6:$a5: set_encryptedPassword 0xf86a:$a7: get_logins 0xf598:$a8: GetOutlookPasswords 0xf3d2:$a9: StartKeylogger 0xf7cf:$a10: KeyLoggerEventArgs 0xf42f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c79e:$a1: get_encryptedPassword 0x2cab7:$a2: get_encryptedUsername 0x2c53b:$a3: get_timePasswordChanged 0x2c65c:$a4: get_passwordField 0x2c7b4:$a5: set_encryptedPassword 0x2e0c0:$a7: get_logins 0x2dd71:$a8: GetOutlookPasswords 0x2db63:$a9: StartKeylogger 0x2e010:$a10: KeyLoggerEventArgs 0x2dbc0:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd461:$a1: get_encryptedPassword 0xd789:$a2: get_encryptedUsername 0xd1ea:$a3: get_timePasswordChanged 0xd30b:$a4: get_passwordField 0xd477:$a5: set_encryptedPassword 0xeddc:$a7: get_logins 0xea8d:$a8: GetOutlookPasswords 0xe87f:$a9: StartKeylogger 0xed2c:$a10: KeyLoggerEventArgs 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x1067f:$a9: StartKeylogger 0x10b2c:$a10: KeyLoggerEventArgs 0x106dc:$a11: KeyLoggerEventArgsEventHandler
2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0x26091:$a1: get_encryptedPassword 0x3ccb1:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0x263b9:$a2: get_encryptedUsername 0x3cfd9:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0x25e1a:$a3: get_timePasswordChanged 0x3ca3a:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0x25f3b:$a4: get_passwordField 0x3cb5b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x260a7:$a5: set_encryptedPassword 0x3ccc7:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x27a0c:$a7: get_logins 0x3e62c:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x276bd:$a8: GetOutlookPasswords 0x3e2dd:$a8: GetOutlookPasswords
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2b0e3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41d03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a5e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x41201:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x2a8ef:$a4: \Orbitum\User Data\Default\Login Data 0x4150f:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data 0x2b6e7:$a5: \Kometa\User Data\Default\Login Data 0x42307:$a5: \Kometa\User Data\Default\Login Data
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x502d1:$a1: get_encryptedPassword 0x67101:$a1: get_encryptedPassword 0x7dd21:$a1: get_encryptedPassword 0x505f9:$a2: get_encryptedUsername 0x67429:$a2: get_encryptedUsername 0x7e049:$a2: get_encryptedUsername 0x5005a:$a3: get_timePasswordChanged 0x66e8a:$a3: get_timePasswordChanged 0x7daaa:$a3: get_timePasswordChanged 0x5017b:$a4: get_passwordField 0x66fab:$a4: get_passwordField 0x7dbcb:$a4: get_passwordField 0x502e7:$a5: set_encryptedPassword 0x67117:$a5: set_encryptedPassword 0x7dd37:$a5: set_encryptedPassword 0x51c4c:$a7: get_logins 0x68a7c:$a7: get_logins 0x7f69c:$a7: get_logins 0x518fd:$a8: GetOutlookPasswords 0x6872d:$a8: GetOutlookPasswords 0x7f34d:$a8: GetOutlookPasswords
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x55323:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6c153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x82d73:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x54821:$a3: \Google\Chrome\User Data\Default\Login Data 0x6b651:$a3: \Google\Chrome\User Data\Default\Login Data 0x82271:$a3: \Google\Chrome\User Data\Default\Login Data 0x54b2f:$a4: \Orbitum\User Data\Default\Login Data 0x6b95f:$a4: \Orbitum\User Data\Default\Login Data 0x8257f:$a4: \Orbitum\User Data\Default\Login Data 0x55927:$a5: \Kometa\User Data\Default\Login Data 0x6c757:$a5: \Kometa\User Data\Default\Login Data 0x83377:$a5: \Kometa\User Data\Default\Login Data
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a101:$a1: get_encryptedPassword 0x90f31:$a1: get_encryptedPassword 0xa7b51:$a1: get_encryptedPassword 0x7a429:$a2: get_encryptedUsername 0x91259:$a2: get_encryptedUsername 0xa7e79:$a2: get_encryptedUsername 0x79e8a:$a3: get_timePasswordChanged 0x90cba:$a3: get_timePasswordChanged 0xa78da:$a3: get_timePasswordChanged 0x79fab:$a4: get_passwordField 0x90ddb:$a4: get_passwordField 0xa79fb:$a4: get_passwordField 0x7a117:$a5: set_encryptedPassword 0x90f47:$a5: set_encryptedPassword 0xa7b67:$a5: set_encryptedPassword 0x7ba7c:$a7: get_logins 0x928ac:$a7: get_logins 0xa94cc:$a7: get_logins 0x7b72d:$a8: GetOutlookPasswords 0x9255d:$a8: GetOutlookPasswords 0xa917d:$a8: GetOutlookPasswords
0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7f153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95f83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xacba3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e651:$a3: \Google\Chrome\User Data\Default\Login Data 0x95481:$a3: \Google\Chrome\User Data\Default\Login Data 0xac0a1:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e95f:$a4: \Orbitum\User Data\Default\Login Data 0x9578f:$a4: \Orbitum\User Data\Default\Login Data 0xac3af:$a4: \Orbitum\User Data\Default\Login Data 0x7f757:$a5: \Kometa\User Data\Default\Login Data 0x96587:$a5: \Kometa\User Data\Default\Login Data 0xad1a7:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T05:52:56.021929+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2884087490.0000000002781000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 494126}

Multi AV Scanner detection for submitted file

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657665484.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 02578922h	2_2_02578508
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 025781F9h	2_2_02577F48
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 02578922h	2_2_025784F8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 02578922h	2_2_0257884F
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 0257FAF8h	2_2_0257F7F8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D80742h	2_2_04D80498
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D81580h	2_2_04D812D8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D844A5h	2_2_04D842C8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D84E2Fh	2_2_04D842C8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D826E0h	2_2_04D82438
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_04D837D8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D819D8h	2_2_04D81730
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D802E8h	2_2_04D80040
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D833E8h	2_2_04D83140
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D82F90h	2_2_04D82CE8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D81128h	2_2_04D80E80
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_04D83E0B
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_04D83FEB
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D82288h	2_2_04D81FE0
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D82B38h	2_2_04D82890
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then mov esp, ebp	2_2_04D87A72
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D80CD0h	2_2_04D80A28
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 4x nop then jmp 04D81E30h	2_2_04D81B88

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000281B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000281B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.0000000002781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 0_2_011CE084	0_2_011CE084
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 0_2_06C917D9	0_2_06C917D9
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257AC08	2_2_0257AC08
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_02572DD1	2_2_02572DD1
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257F128	2_2_0257F128
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_025719B8	2_2_025719B8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_02577F48	2_2_02577F48
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257E77F	2_2_0257E77F
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257E780	2_2_0257E780
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257EF08	2_2_0257EF08
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257AC07	2_2_0257AC07
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_0257F7F8	2_2_0257F7F8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_02577F47	2_2_02577F47
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80498	2_2_04D80498
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D86628	2_2_04D86628
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D87798	2_2_04D87798
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D812D8	2_2_04D812D8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D842C8	2_2_04D842C8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D85340	2_2_04D85340
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D85FD8	2_2_04D85FD8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D85988	2_2_04D85988
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82438	2_2_04D82438
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82433	2_2_04D82433
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D86624	2_2_04D86624
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D837D8	2_2_04D837D8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D837C8	2_2_04D837C8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D87797	2_2_04D87797
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81730	2_2_04D81730
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81722	2_2_04D81722
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80040	2_2_04D80040
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80007	2_2_04D80007
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D83140	2_2_04D83140
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D83131	2_2_04D83131
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D812C8	2_2_04D812C8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D842C3	2_2_04D842C3
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D8533F	2_2_04D8533F
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82CD9	2_2_04D82CD9
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82CE8	2_2_04D82CE8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D86CA8	2_2_04D86CA8
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D86CA7	2_2_04D86CA7
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80E80	2_2_04D80E80
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80E7B	2_2_04D80E7B
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81FD2	2_2_04D81FD2
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D85FD7	2_2_04D85FD7
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81FE0	2_2_04D81FE0
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82890	2_2_04D82890
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D82880	2_2_04D82880
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D85978	2_2_04D85978
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80A17	2_2_04D80A17
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D80A28	2_2_04D80A28
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81B88	2_2_04D81B88
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Code function: 2_2_04D81B78	2_2_04D81B78

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVebinace.dll2 vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657665484.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657665484.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657665484.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1656646167.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000000.1645510985.0000000000836000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePop.exe( vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.000000000075A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882727463.0000000000737000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Binary or memory string: OriginalFilenamePop.exe( vs MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, AirFilter.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, AirFilter.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorType
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.AreInjectorsClogged
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorDutyCycle
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorFlowRate
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, EngineBlock.cs	Suspicious method names: .EngineBlock.FuelInjectionType
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorType
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.AreInjectorsClogged
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorDutyCycle
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, FuelInjector.cs	Suspicious method names: .FuelInjector.InjectorFlowRate
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, EngineBlock.cs	Suspicious method names: .EngineBlock.FuelInjectionType

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Mutant created: NULL

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000286E000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000285F000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000287D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process created: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process created: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, Form1.cs	.Net Code: Form1_Load System.Reflection.Assembly.Load(byte[])
Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, Form1.cs	.Net Code: Form1_Load

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: 0x87DDA81E [Wed Mar 26 12:44:14 2042 UTC]

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Static PE information: section name: .text entropy: 7.7119234091335676

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: doc.scr

Static PE information: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe TID: 7356

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882888779.0000000000818000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Code function: 2_2_0257F128 LdrInitializeThunk,LdrInitializeThunk,

2_2_0257F128

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Process created: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe "C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2884087490.00000000028A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b4e220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3b0d1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.3ae3380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe PID: 7452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	18%	ReversingLabs
MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	100%	Avira	HEUR/AGEN.1306813
MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000281B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.000000000281B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.0000000002781000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1659003239.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe, 00000002.00000002.2884087490.00000000027FF000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585125
Start date and time:	2025-01-07 05:52:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 28 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
132.226.247.73	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	104.26.0.123
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	x86_64.elf	Get hash	malicious	Mirai	Browse	8.44.60.50
	sh4.elf	Get hash	malicious	Mirai	Browse	162.158.206.216
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	w3245.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	104.17.247.203
	https://solve.jrqr.org/awjxs.captcha?u=df8172c9-2ab6-423b-8c92-85669127a20a	Get hash	malicious	Unknown	Browse	104.21.27.98
UTMEMUS	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	armv5l.elf	Get hash	malicious	Unknown	Browse	132.244.2.45
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	132.226.42.231
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.703942714714825
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
File size:	222'720 bytes
MD5:	947e0863ba18f705f90473de4702a0ab
SHA1:	0a7fccf8265a9e268a84c8000912ca07312989fd
SHA256:	72bcc45094526e37f7275f87dff9c249a26242414fe30f13d6d5359e0b7fbcac
SHA512:	86fae7cd0a9c9a8c721d7b69c6a54a124f5fc7d10d6d50aca47f09584e14a47b4db3e35c478a8cac0c84e64d4ffed429e59cd0c6d39aec8d74036ed813770ec2
SSDEEP:	3072:+rIOgeLRN9KkUFBlFdXcowGj8Ac5kBFJEJ2WTi5Zq51vb4:+rIOgelGrfgGjskBMJ2Dm
TLSH:	2624D4B03164A160F379ABB07C1CC2732666563A5253EFBCE6C7DAB649453CB7C2122D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......6.......L... ...`....@.. ....................................@................................

File Icon


Icon Hash:	13d1421995c6490d

Static PE Info

General

Entrypoint:	0x434c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x87DDA81E [Wed Mar 26 12:44:14 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34bd4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x33b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x32c34	0x32e00	5b3ab8deaee0726a1f52f40728364f4e	False	0.6696195485257985	data	7.7119234091335676	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x33b0	0x3400	136a6ce04816fdd601cebdcbc9c13296	False	0.9194711538461539	data	7.703187088905528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0xc	0x200	185220484a2493883cc0809e078e637a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x36130	0x2d91	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9799399914273468
RT_GROUP_ICON	0x38ec4	0x14	data	0.95
RT_VERSION	0x38ed8	0x2ec	data	0.4344919786096257
RT_MANIFEST	0x391c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T05:52:56.021929+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:52:54.904792070 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:52:54.909660101 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:52:54.909722090 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:52:54.909940958 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:52:54.914678097 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:52:55.706837893 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:52:55.730050087 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:52:55.734886885 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:52:55.977624893 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:52:56.021929026 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:52:56.030153990 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.030184031 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.030272961 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.112023115 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.112042904 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.600944996 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.601020098 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.605494976 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.605504990 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.605751038 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.647141933 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.667618036 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.715331078 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.784816980 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.784861088 CET	443	49733	188.114.97.3	192.168.2.4
Jan 7, 2025 05:52:56.784919024 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:52:56.790369034 CET	49733	443	192.168.2.4	188.114.97.3
Jan 7, 2025 05:54:00.964044094 CET	80	49732	132.226.247.73	192.168.2.4
Jan 7, 2025 05:54:00.964246035 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:54:35.991333008 CET	49732	80	192.168.2.4	132.226.247.73
Jan 7, 2025 05:54:35.996149063 CET	80	49732	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:52:54.892760992 CET	50987	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:52:54.899472952 CET	53	50987	1.1.1.1	192.168.2.4
Jan 7, 2025 05:52:56.005597115 CET	50568	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:52:56.012382030 CET	53	50568	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 05:52:54.892760992 CET	192.168.2.4	1.1.1.1	0x8b3e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:56.005597115 CET	192.168.2.4	1.1.1.1	0x20b8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:54.899472952 CET	1.1.1.1	192.168.2.4	0x8b3e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:56.012382030 CET	1.1.1.1	192.168.2.4	0x20b8	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:52:56.012382030 CET	1.1.1.1	192.168.2.4	0x20b8	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	132.226.247.73	80	7452	C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 05:52:54.909940958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 7, 2025 05:52:55.706837893 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:52:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 7, 2025 05:52:55.730050087 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 7, 2025 05:52:55.977624893 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:52:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	188.114.97.3	443	7452	C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 04:52:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-07 04:52:56 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 04:52:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1540365 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PZdA0ajZG2S4Nu%2Bs8cxumEAGSrO3ecHEKCwc9r2nDM%2FBhJbSW3XJZpflvdWaup3uuTxwfGFU9eLewGZVnSXwR2XLES0pWPQ1XDeD9IbPoYe0U2Ntbgr0lTURbQk7HWiPMllHBcDL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe1575e7aff0f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1489&rtt_var=576&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1871794&cwnd=221&unsent_bytes=0&cid=c2155ecea9ffa7aa&ts=196&x=0"
2025-01-07 04:52:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	23:52:52
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"
Imagebase:	0x800000
File size:	222'720 bytes
MD5 hash:	947E0863BA18F705F90473DE4702A0AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1657821219.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:52:53
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe"
Imagebase:	0x340000
File size:	222'720 bytes
MD5 hash:	947E0863BA18F705F90473DE4702A0AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2882754109.0000000000742000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2884087490.00000000028A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	10

Executed Functions

Function 06C917D9 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658988502.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c90000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555431e25bbb7d5192efd2cd0b3ce4011a617e4a6a1052cf3fa1c87b1a6ebc8b
Instruction ID: 9b99a92500bf4e194fd6885a5f37fb8e0739d85ab75e7345baf0441dcce8e691
Opcode Fuzzy Hash: 555431e25bbb7d5192efd2cd0b3ce4011a617e4a6a1052cf3fa1c87b1a6ebc8b
Instruction Fuzzy Hash: 31D16B70E0020A8FDF54DFA9C849BADBBF2BF44304F198569E409AB6A5DB70D945CB90

Function 011CB298 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CB4FE

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 123973927f1ab696025387af0216e423f338e13da697d0ffcadc5dd3a6534a16
Instruction ID: a40736355ccc1b488d34c528c7a74160fd23b2558b7f4527f5cc1669273a18f2
Opcode Fuzzy Hash: 123973927f1ab696025387af0216e423f338e13da697d0ffcadc5dd3a6534a16
Instruction Fuzzy Hash: 448174B0A04B458FD728CF69D44275ABBF1FF98704F00892ED48ADBA50E738E845CB95

Function 011C449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 69a598afc51c0e2a44240e2210e74cd46a2d4220cac95cb39352575e91573437
Instruction ID: 7095937a32685f45e54de4f16c529481cb1aa71034990c1c960aa92dab2a6fdf
Opcode Fuzzy Hash: 69a598afc51c0e2a44240e2210e74cd46a2d4220cac95cb39352575e91573437
Instruction Fuzzy Hash: 6541D3B0D00719CADB28DFAAC88479EBBF6BF49704F20806AD509AB251DB716945CF91

Function 011C590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 13a2766b4a8585d6dcb71f70e61c7b1c9c0e2c5d21ac893a20a081ead863844c
Instruction ID: 55caa1f4fb027f65739ccca2f829545496b8cf08b3215a52504cb56c38da8e12
Opcode Fuzzy Hash: 13a2766b4a8585d6dcb71f70e61c7b1c9c0e2c5d21ac893a20a081ead863844c
Instruction Fuzzy Hash: DF4112B0D00719CEDB28CFAAC884BDEBBF2BF49304F20806AD408AB251DB756945CF50

Function 011CD2F8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011CD74E,?,?,?,?,?), ref: 011CD80F

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7c458bb2fdcca501efe0426100509fe7ed3faea5d3d68382e8ce1fa76bc0d17
Instruction ID: 00091088b86540f6da89b4078cc39134a3a0593a476cd8c6e3f61c07770478b3
Opcode Fuzzy Hash: d7c458bb2fdcca501efe0426100509fe7ed3faea5d3d68382e8ce1fa76bc0d17
Instruction Fuzzy Hash: 062105B59003089FDB10CF99D884ADEBBF4FB48310F10802AE918A3350D374A944CFA0

Function 06C92198 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 06C92211

Memory Dump Source

Source File: 00000000.00000002.1658988502.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c90000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: af05dbdce5ba31fc4220447fa668a4d53ec29dbc5ab1a31e275ca2cc88d0b4ef
Instruction ID: 1e796bd886876b305e1b2853c2382f73638ccd58f8ef817af179a28edf347cb9
Opcode Fuzzy Hash: af05dbdce5ba31fc4220447fa668a4d53ec29dbc5ab1a31e275ca2cc88d0b4ef
Instruction Fuzzy Hash: C02135B1D102098FDB14CF9AC848BEEFBF5EB88320F14842AD458A7350C778AA45CF65

Function 011CD780 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011CD74E,?,?,?,?,?), ref: 011CD80F

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fae4125674235c34a64221f9841fb43224b26385ea0f209a42cb709e828c6314
Instruction ID: 15840b7139e76fe2b70fb7b06bdebaec5800c5588f0daa69bac51b3b6e5334e0
Opcode Fuzzy Hash: fae4125674235c34a64221f9841fb43224b26385ea0f209a42cb709e828c6314
Instruction Fuzzy Hash: E621E4B5D002489FDB10CFA9D584ADEBFF4FB48320F14845AE958A3350D374AA54CFA4

Function 06C921A0 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 06C92211

Memory Dump Source

Source File: 00000000.00000002.1658988502.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c90000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: aeae0e5952db5dd248a32b79327d0fb4d58c8ab056962ba72f362577345c5b15
Instruction ID: 278847830831af9c9efbf735200f3f75c393b540ce01a1c70dcdb767b3c1d67b
Opcode Fuzzy Hash: aeae0e5952db5dd248a32b79327d0fb4d58c8ab056962ba72f362577345c5b15
Instruction Fuzzy Hash: A82138B1D102099FDB14DF9AC848BEEFBF5FB88320F14842AD458A3250D778AA44CF65

Function 011CB498 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CB4FE

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05a1b52401634b14caa29235e6f6e596d2cef9487aed00ac4c2dc43205792ec0
Instruction ID: d0a229c1e160e86d6ea6d820c6b36cadcf95cae7795368be11b99236c452dd01
Opcode Fuzzy Hash: 05a1b52401634b14caa29235e6f6e596d2cef9487aed00ac4c2dc43205792ec0
Instruction Fuzzy Hash: B7110FB5C043498FDB14DF9AC445ADEFBF8EB88324F10841AD429A7210C375A645CFA5

Function 06C91502 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32 ref: 06C9155D

Memory Dump Source

Source File: 00000000.00000002.1658988502.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c90000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d10f5cfd71009c260fc6d7b17ad8d453c91e6133b2f09f39b4c7d0697b480759
Instruction ID: 1e0f500b98770df16249fc6d4139017e5ff9e12e1332b64344f7fc683f3f3bca
Opcode Fuzzy Hash: d10f5cfd71009c260fc6d7b17ad8d453c91e6133b2f09f39b4c7d0697b480759
Instruction Fuzzy Hash: C11115B58003498FCB20DF9AD849BCEBFF4EB48320F14841AD519A3600D774A644CFA5

Function 06C91508 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 06C9155D

Memory Dump Source

Source File: 00000000.00000002.1658988502.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c90000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0e912c5ce0bc60ec6ab6fda3e6225758209ec4883446960e00b837863c118ce3
Instruction ID: 2e64c3d61a53028849058a5968a9d8497be92ac3b547c6427d45e5b4fcd0c1bb
Opcode Fuzzy Hash: 0e912c5ce0bc60ec6ab6fda3e6225758209ec4883446960e00b837863c118ce3
Instruction Fuzzy Hash: 511112B58003498FCB10DF9AD449BCEBBF4EB48320F24841AD519A3200C374AA44CFA5

Function 00F0D61C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656452581.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f07022002d97886d7ec09acbb3063018a5787d72210b734eac129cbc558b26
Instruction ID: 994a48ffb780cd4c645d602e0fd5902ab0812be20ef5e8e5406b6f08a7a9f28a
Opcode Fuzzy Hash: 90f07022002d97886d7ec09acbb3063018a5787d72210b734eac129cbc558b26
Instruction Fuzzy Hash: 5021F472A04244DFCB05DF54D9C4B26BF65FB94320F248569E90D0B296C337D816EBA1

Function 00F1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656489315.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85c8e609bdb09d727a0ef981faf3952759dd373c4e6e02f3f3143b6a3f32944
Instruction ID: 946a6e5e6614112c4bc7e7133da51d87304b20f52911a229e4fe7518506e53f6
Opcode Fuzzy Hash: a85c8e609bdb09d727a0ef981faf3952759dd373c4e6e02f3f3143b6a3f32944
Instruction Fuzzy Hash: D721F575A04200DFCB14DF14D9C4B56BBB5FB98324F24C56DD80A4B38AC33AD887EA61

Function 00F1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656489315.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94327de9f31df131b7392e4b2c723c9f43de8a4c03f430840c2ef1df510568a6
Instruction ID: db9cc3608023da91aae84886add8bd1742fb8d2834a6406210c649741606ca0e
Opcode Fuzzy Hash: 94327de9f31df131b7392e4b2c723c9f43de8a4c03f430840c2ef1df510568a6
Instruction Fuzzy Hash: 412192755093C08FCB02CF24D994715BF71EB46324F28C5EAD8498F2A7C33A984ADB62

Function 00F0D617 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656452581.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 2b43be025860be3b86d855d2278f8f9a9c7127ddab6002a433f8cdbce3ed34e0
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: A611D376904284CFCB06CF54D5C4B16BF72FB94324F24C5A9D8090B696C336D85AEBA1

Non-executed Functions

Function 011CE084 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657414740.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ecd2b145d8f14b3332cce380ba45f16938692f1903143d832af39a859afaa
Instruction ID: a283d1326f2c25654814754c6aa26774a56dbd2d08dc051b594a8fa040d2aa03
Opcode Fuzzy Hash: bd8ecd2b145d8f14b3332cce380ba45f16938692f1903143d832af39a859afaa
Instruction Fuzzy Hash: 37A19032E002168FCF09DFB4C8845DEBBB2FF94704B15856EE905AB265DB35E956CB80

Analysis Process: MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exePID: 7452, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.7%
Total number of Nodes:	45
Total number of Limit Nodes:	3

Executed Functions

Function 0257F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c73caaa9752a51eaf7ade102342c3d82b85a257c267981d85ba9ef1df6e1fbe
Instruction ID: 34a1e88e5e20496778e05fc854414311f6c93b574df1c3b56be5ecbb7c4f4843
Opcode Fuzzy Hash: 8c73caaa9752a51eaf7ade102342c3d82b85a257c267981d85ba9ef1df6e1fbe
Instruction Fuzzy Hash: 39F1F474E01218CFDB14DFA9D884B9DBBB2BF88304F50C1A9E808AB355DB75A985CF54

Function 04D842C8 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b56ac020c581d16a5fc8187c635ec5f89a93de65fff6f44aa8018259fbb4b8
Instruction ID: 8ddc9914610399982b9c2898c9755656fe4a7c02ec1cc23c07bb6383e900fe7b
Opcode Fuzzy Hash: b7b56ac020c581d16a5fc8187c635ec5f89a93de65fff6f44aa8018259fbb4b8
Instruction Fuzzy Hash: 9772CE74E012298FDB64DF69C994BE9BBF2BB49300F1481E9D449A7355EB34AE81CF40

Function 02577F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7882c4e6f3d291798c3538600b5c809b399f9df30b96334bf49d58a3bead3723
Instruction ID: f87eaa624432636541a0ee3e5b4357c2dc6c7e48f465e944583062a05f40f5bb
Opcode Fuzzy Hash: 7882c4e6f3d291798c3538600b5c809b399f9df30b96334bf49d58a3bead3723
Instruction Fuzzy Hash: ACC19D78E01218CFDB14DFA9D998B9DBBB2BF88301F2084A9D809A7355DB355E85CF50

Function 04D80498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68480361b9f9bb3377c17730ae6b71e6e547beaec12a552095e1009f2c6e8432
Instruction ID: 3a944eba820fccf781d7614355d6e4bd8b19893d025565072654c2e2c48c183e
Opcode Fuzzy Hash: 68480361b9f9bb3377c17730ae6b71e6e547beaec12a552095e1009f2c6e8432
Instruction Fuzzy Hash: 7AC1B374E00218CFDB15DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF50

Function 04D812D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be75f7435fbbc49b62254a1b1f1caa7c588f0a2d800f0ad089624623b658254
Instruction ID: e85d49088435ef71ce7d4db1d782b34315dd9ba7fa08e79b04553f8c2a0dc9b3
Opcode Fuzzy Hash: 2be75f7435fbbc49b62254a1b1f1caa7c588f0a2d800f0ad089624623b658254
Instruction Fuzzy Hash: 67C1A274E00218CFDB14DFA5D994BADBBB2BF89305F2080A9D809AB355DB359E85CF10

Function 025784F8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d874234deeda2430ea500589b7715bd934cba8508cd9ae1cfaadf7661cd9dc
Instruction ID: ac1416d24e0c6543bd1c2a6fdadfc2300298b187b6e37ed93b63654ac6a458b6
Opcode Fuzzy Hash: 69d874234deeda2430ea500589b7715bd934cba8508cd9ae1cfaadf7661cd9dc
Instruction Fuzzy Hash: 62A10470D012188FDB24DFA8D588BDDBBB1FF89304F209269E409AB391DB759985CF54

Function 02578508 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08408cdcd967c8c55bc47212016c0577967826b734d180aa1dbeccc7dfcadab8
Instruction ID: 4274b761d5172110edf7c86b5de2222d9ad1eb77dfcda6989faaf4b1085dcfb0
Opcode Fuzzy Hash: 08408cdcd967c8c55bc47212016c0577967826b734d180aa1dbeccc7dfcadab8
Instruction Fuzzy Hash: 34A10370D01208CFDB24DFA8D998B9DBBB1FF88314F209269E409AB391DB759984CF54

Function 0257884F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3368da0b59f0583225bd768d2b0941e1b9812854d65e9f784241775b42904f
Instruction ID: 696927b50fe084070b5d681a367946f5a2cd57192b40c72a53c6a7e0ac18eb82
Opcode Fuzzy Hash: 4c3368da0b59f0583225bd768d2b0941e1b9812854d65e9f784241775b42904f
Instruction Fuzzy Hash: FA910274D01208CFDB20DFA8D988B9CBBB1FF49314F2096A9E409AB391DB759984CF55

Function 04D8A0BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D8A376,?,?,?,?,?), ref: 04D8A437

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: afd1cd5f075ea5ff4db165bd681c41245d283a4019f3e14c2ec9586e08fcf243
Instruction ID: d003b2ad9c4213c3e5e791e261eb016f355355c44139fa50dc21eff1570fc123
Opcode Fuzzy Hash: afd1cd5f075ea5ff4db165bd681c41245d283a4019f3e14c2ec9586e08fcf243
Instruction Fuzzy Hash: 922103B59002489FDB10DF9AD884AEEBBF4FB48320F10805AE918A3310D374A944CFA5

Function 04D8A3A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D8A376,?,?,?,?,?), ref: 04D8A437

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 59cbff97c92e72aa6b412896f2af187660ab79039037390f4355c28609ca4bcb
Instruction ID: cddc478dda4f118df69638850f69474c021bff2ffa4064e5481fbf1bae1b0837
Opcode Fuzzy Hash: 59cbff97c92e72aa6b412896f2af187660ab79039037390f4355c28609ca4bcb
Instruction Fuzzy Hash: C321FFB6901218DFDB10CFA9D984AEEBBF4FF08320F14845AE918A3311C334A944CF61

Function 0257F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0257F64E

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a4aff5aabdd74d8d98b3e45390b10c64bda5be347d31e97fff8596f5fe30a3b
Instruction ID: c141e3957fc45f6c04e8ec3f6627df5ae4192f56c98eb2e300eca307f879f57e
Opcode Fuzzy Hash: 6a4aff5aabdd74d8d98b3e45390b10c64bda5be347d31e97fff8596f5fe30a3b
Instruction Fuzzy Hash: 82116AB4E411099FDB04DFA8E884EADBBB5FB88308F148525E804AB751DB31EC41CB64

Function 00BAD006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883335656.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bad000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d925ee38f8e619e7cc9e3f2bb12a07464492fd94f5dff67d073bdc37f590a8ed
Instruction ID: 87c81a333aa703f21043b9a9ca4da291a261c4277d1fa9c528f2ac381293b487
Opcode Fuzzy Hash: d925ee38f8e619e7cc9e3f2bb12a07464492fd94f5dff67d073bdc37f590a8ed
Instruction Fuzzy Hash: C8216D7550D3C49FC7138B24D9A0711BFB1EB56214F28C5DBD9898B6A7C23A980ACB62

Function 00BAD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883335656.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bad000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d992f58971ccb0eb4dae3542d80b64d101ea3c46e0dad767b80f41e6982bfbe4
Instruction ID: fc8b506db26dd496fcd3f07153ed215a124ac97dbddfdeb792a47b73b8f42edc
Opcode Fuzzy Hash: d992f58971ccb0eb4dae3542d80b64d101ea3c46e0dad767b80f41e6982bfbe4
Instruction Fuzzy Hash: D62103B1608200DFCB20DF14D9D0B26BBA5EB85314F24C6ADD80A4A692C336D846CA61

Non-executed Functions

Function 04D837D8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 04D838F3

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: dc0b2032f0c9e4cd0201136435a77796db4beb09fc33ca89f7ae760c46777c86
Instruction ID: 1df2bbffb64cd825f1d197b3ceb63dc38eb7de943776ec59d96683d5a9a6d3b4
Opcode Fuzzy Hash: dc0b2032f0c9e4cd0201136435a77796db4beb09fc33ca89f7ae760c46777c86
Instruction Fuzzy Hash: BD52AE74E01229CFDB64DF65C884BADBBB2BB89301F1085E9D50DAB254DB35AE81CF50

Function 0257F7F8 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2883562726.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2570000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632a1315a8dbc4caa05882d687790acec36e49912f91a3a062d31dc1383c232d
Instruction ID: 5f70e2c2331e0a2bff2f30d148186cd37b1ae2313979b17460874606a6ce8b89
Opcode Fuzzy Hash: 632a1315a8dbc4caa05882d687790acec36e49912f91a3a062d31dc1383c232d
Instruction Fuzzy Hash: 05D1E274E01218CFDB14DFA5D994B9DBBB2BF89305F2080AAD808AB365DB359D81CF14

Function 04D82438 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6767be3d93b60dbd9c90d5ae537397e966c2339d0b23659f2ccda9fb193dad12
Instruction ID: 56b9b5a699384f697237647908d9ca06a049bd01efcdd8a745a590448b30b3af
Opcode Fuzzy Hash: 6767be3d93b60dbd9c90d5ae537397e966c2339d0b23659f2ccda9fb193dad12
Instruction Fuzzy Hash: 86C1B174E00218CFDB14DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF10

Function 04D81730 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb7aa75b0b5e91ad37ae98f6e55c3e69f3c832d20f6c89f8b4e03e02955acdc
Instruction ID: 9007577bc081d9ee6563674a6b70aa2e7fc065aef6f2e53e26413d4489b02a17
Opcode Fuzzy Hash: 5cb7aa75b0b5e91ad37ae98f6e55c3e69f3c832d20f6c89f8b4e03e02955acdc
Instruction Fuzzy Hash: 64C1A174E00218CFDB14DFA5D994BADBBB2BF89305F2080A9D809AB355DB356E85CF10

Function 04D80040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974c5ed6249bda6b26556846a94b8ee2a9f48882785fd400ec0e2a005f53369e
Instruction ID: f71d06ff4095fdab4d7ff7c650e9e6814a4efd7ee1cf63d956b7ea97a2e484ec
Opcode Fuzzy Hash: 974c5ed6249bda6b26556846a94b8ee2a9f48882785fd400ec0e2a005f53369e
Instruction Fuzzy Hash: 54C1A174E01218CFDB15DFA9D994BADBBB2BF89301F2080A9D809AB355DB355E85CF10

Function 04D83140 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ed39704793ae7734eb7b14a30c56cc503592c03299fb0f5a1067224813f303
Instruction ID: d4cb0d82c41ca68b7bebf4f9986e7bc2c42657ca85c97e69822b2335edd29507
Opcode Fuzzy Hash: 79ed39704793ae7734eb7b14a30c56cc503592c03299fb0f5a1067224813f303
Instruction Fuzzy Hash: ECC1A174E00218CFDB14DFA5D994BADBBB2BF89301F2084A9D809AB355DB359E85CF10

Function 04D82CE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edc8a981103d6a7f2a59a1ce5900df8d3e231b5236590e2268d96ad5202e57e
Instruction ID: 568cb30d557d2c81c5fc22231dbefb86b78a75be016e5a48578b8e609dafbea5
Opcode Fuzzy Hash: 1edc8a981103d6a7f2a59a1ce5900df8d3e231b5236590e2268d96ad5202e57e
Instruction Fuzzy Hash: 1CC1A074E00218CFDB14DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF50

Function 04D80E80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4707165cf5d71fa58204659a1491258adf0610560d2c537cf5b61a2de7801199
Instruction ID: 5238809edf1ef203d7d1a3ebf975600c875571bcc7caa79422a251103d12136d
Opcode Fuzzy Hash: 4707165cf5d71fa58204659a1491258adf0610560d2c537cf5b61a2de7801199
Instruction Fuzzy Hash: 0AC1A074E00218CFDB14DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF50

Function 04D81FE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1897a679d1776281cce7024bd765242d442d07a0f5416a60f30588e8d862902
Instruction ID: aaba09c9339e89056a2963f64348d7bc61fb307aafcdc016d3c8a672dac6af82
Opcode Fuzzy Hash: e1897a679d1776281cce7024bd765242d442d07a0f5416a60f30588e8d862902
Instruction Fuzzy Hash: FAC1A174E00218CFDB54DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF10

Function 04D82890 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1773ee17ef8e6ec99c8d2ecb16a307cbcf1fa600e37d7f0d32822ee9e6a599f2
Instruction ID: 31b19f13cc7024dbac32aa4cbb6258ac5952dab5fd791b8718e652133c466e69
Opcode Fuzzy Hash: 1773ee17ef8e6ec99c8d2ecb16a307cbcf1fa600e37d7f0d32822ee9e6a599f2
Instruction Fuzzy Hash: 7AC19174E00218CFDB14DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF50

Function 04D80A28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dad48642fc1c82dedeb23059e4be1ea6679b6dfdb48cc71f85490d06ef5c68b
Instruction ID: c0bb8a6c216d63069645632e9a1680aa2815e7f2564be4d88ffccb2a71d363d1
Opcode Fuzzy Hash: 5dad48642fc1c82dedeb23059e4be1ea6679b6dfdb48cc71f85490d06ef5c68b
Instruction Fuzzy Hash: 03C1C274E00218CFDB15DFA5D994B9DBBB2BF89305F2080A9D809AB355DB356E85CF10

Function 04D81B88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7faaafe1a3e6f555de09a02a08b11c7c595d089ed40225d9d8e30fb3a156cb00
Instruction ID: b7ec037dc52c2c24a3887c0188f486bfe1ebf9a6cfc38bb082c843eb4aa939fc
Opcode Fuzzy Hash: 7faaafe1a3e6f555de09a02a08b11c7c595d089ed40225d9d8e30fb3a156cb00
Instruction Fuzzy Hash: FDC1B374E00218CFDB14DFA5D994BADBBB2BF89301F2080A9D809AB355DB359E85CF10

Function 04D83E0B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5791c0c12baabe02265844dda708418725623656a732c75f9c1d7f69038371f
Instruction ID: ae1febdab8de605e9e71821d943ab7bc0ad35f586d7adebc7939c1488b60c4cf
Opcode Fuzzy Hash: b5791c0c12baabe02265844dda708418725623656a732c75f9c1d7f69038371f
Instruction Fuzzy Hash: 4BA1AF74A01228CFDB65DF24C994BA9BBB2BF49301F1085EAD44EA7350DB35AE81CF51

Function 04D83FEB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7892b33e0a42cf0f8a49eb7cb070b104f88fae6919815a3459c3ec9480894bb1
Instruction ID: 3a95a071f4d0a538e1a783a202dcb2c23ed934100c6947f7974a478832ce64ed
Opcode Fuzzy Hash: 7892b33e0a42cf0f8a49eb7cb070b104f88fae6919815a3459c3ec9480894bb1
Instruction Fuzzy Hash: 0F519374A01229CFCB65DF24C854BA9B7B2FB4A305F5089E9D40EA7350DB35AE81CF40

Function 04D87A72 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2885310234.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d80000_MV DESPINA_VESSEL_DESCRIPTION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57450104bf0f6caf998b352a678c79abcfd6a439a9c93cab6f17dd48a847682
Instruction ID: f77432116be39d5ec081daab1dd295659729873d9d4d24bc054077bbfd295021
Opcode Fuzzy Hash: c57450104bf0f6caf998b352a678c79abcfd6a439a9c93cab6f17dd48a847682
Instruction Fuzzy Hash: 6D016974811204EFC320AFB4E96D3AE7BB0EB0B303F609899D409971B1CB344B98CB00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe

Function 011CB298 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 011C449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 011C590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 011CD2F8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 06C92198 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 011CD780 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 06C921A0 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Function 011CB498 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 06C91502 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Function 0257F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 04D8A0BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 04D8A3A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0257F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre