Edit tour

Windows Analysis Report
BAO SHUN Vessel Particulars.docx.scr.exe

Overview

General Information

Sample name:	BAO SHUN Vessel Particulars.docx.scr.exe
Analysis ID:	1618716
MD5:	69770ca275fc4a6e5c00e9cae0983ecb
SHA1:	c39fddca5a4c2611295934b6169e8760a91774c4
SHA256:	b6d1bbc15f5ae144e4801f8188cbe4768f3ba42e2c4dd56f42a7fa5ec9638460
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BAO SHUN Vessel Particulars.docx.scr.exe (PID: 6112 cmdline: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe" MD5: 69770CA275FC4A6E5C00E9CAE0983ECB)

powershell.exe (PID: 4092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7384 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5080 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BAO SHUN Vessel Particulars.docx.scr.exe (PID: 7240 cmdline: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe" MD5: 69770CA275FC4A6E5C00E9CAE0983ECB)

fiqzBuW.exe (PID: 7348 cmdline: C:\Users\user\AppData\Roaming\fiqzBuW.exe MD5: 69770CA275FC4A6E5C00E9CAE0983ECB)

schtasks.exe (PID: 7484 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fiqzBuW.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Roaming\fiqzBuW.exe" MD5: 69770CA275FC4A6E5C00E9CAE0983ECB)

fiqzBuW.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\fiqzBuW.exe" MD5: 69770CA275FC4A6E5C00E9CAE0983ECB)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf8b1:$a1: get_encryptedPassword 0xfbd9:$a2: get_encryptedUsername 0xf63a:$a3: get_timePasswordChanged 0xf75b:$a4: get_passwordField 0xf8c7:$a5: set_encryptedPassword 0x1122c:$a7: get_logins 0x10edd:$a8: GetOutlookPasswords 0x10ccf:$a9: StartKeylogger 0x1117c:$a10: KeyLoggerEventArgs 0x10d2c:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.3289907828.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf631:$a1: get_encryptedPassword 0xf959:$a2: get_encryptedUsername 0xf3ba:$a3: get_timePasswordChanged 0xf4db:$a4: get_passwordField 0xf647:$a5: set_encryptedPassword 0x10fac:$a7: get_logins 0x10c5d:$a8: GetOutlookPasswords 0x10a4f:$a9: StartKeylogger 0x10efc:$a10: KeyLoggerEventArgs 0x10aac:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfbf1:$a1: get_encryptedPassword 0x26a11:$a1: get_encryptedPassword 0xff19:$a2: get_encryptedUsername 0x26d39:$a2: get_encryptedUsername 0xf97a:$a3: get_timePasswordChanged 0x2679a:$a3: get_timePasswordChanged 0xfa9b:$a4: get_passwordField 0x268bb:$a4: get_passwordField 0xfc07:$a5: set_encryptedPassword 0x26a27:$a5: set_encryptedPassword 0x1156c:$a7: get_logins 0x2838c:$a7: get_logins 0x1121d:$a8: GetOutlookPasswords 0x2803d:$a8: GetOutlookPasswords 0x1100f:$a9: StartKeylogger 0x27e2f:$a9: StartKeylogger 0x114bc:$a10: KeyLoggerEventArgs 0x282dc:$a10: KeyLoggerEventArgs 0x1106c:$a11: KeyLoggerEventArgsEventHandler 0x27e8c:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.3292936547.0000000002B17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3292888606.0000000003025000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28a38:$a1: get_encryptedPassword 0x36c8e:$a1: get_encryptedPassword 0x28d51:$a2: get_encryptedUsername 0x36fa7:$a2: get_encryptedUsername 0x287d5:$a3: get_timePasswordChanged 0x36a2b:$a3: get_timePasswordChanged 0x288f6:$a4: get_passwordField 0x36b4c:$a4: get_passwordField 0x28a4e:$a5: set_encryptedPassword 0x36ca4:$a5: set_encryptedPassword 0x2a35a:$a7: get_logins 0x385b0:$a7: get_logins 0x2a00b:$a8: GetOutlookPasswords 0x38261:$a8: GetOutlookPasswords 0x29dfd:$a9: StartKeylogger 0x38053:$a9: StartKeylogger 0x2a2aa:$a10: KeyLoggerEventArgs 0x38500:$a10: KeyLoggerEventArgs 0x29e5a:$a11: KeyLoggerEventArgsEventHandler 0x380b0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 7240	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 7240	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fiqzBuW.exe PID: 7348	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: fiqzBuW.exe PID: 7348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: fiqzBuW.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fiqzBuW.exe PID: 7348	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: fiqzBuW.exe PID: 7348	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x360b8:$a1: get_encryptedPassword 0x363d1:$a2: get_encryptedUsername 0x35e55:$a3: get_timePasswordChanged 0x35f76:$a4: get_passwordField 0x360ce:$a5: set_encryptedPassword 0x379da:$a7: get_logins 0x3768b:$a8: GetOutlookPasswords 0x3747d:$a9: StartKeylogger 0x3792a:$a10: KeyLoggerEventArgs 0x374da:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fiqzBuW.exe PID: 7596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.fiqzBuW.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.fiqzBuW.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd461:$a1: get_encryptedPassword 0xd789:$a2: get_encryptedUsername 0xd1ea:$a3: get_timePasswordChanged 0xd30b:$a4: get_passwordField 0xd477:$a5: set_encryptedPassword 0xeddc:$a7: get_logins 0xea8d:$a8: GetOutlookPasswords 0xe87f:$a9: StartKeylogger 0xed2c:$a10: KeyLoggerEventArgs 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd461:$a1: get_encryptedPassword 0xd789:$a2: get_encryptedUsername 0xd1ea:$a3: get_timePasswordChanged 0xd30b:$a4: get_passwordField 0xd477:$a5: set_encryptedPassword 0xeddc:$a7: get_logins 0xea8d:$a8: GetOutlookPasswords 0xe87f:$a9: StartKeylogger 0xed2c:$a10: KeyLoggerEventArgs 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x1067f:$a9: StartKeylogger 0x10b2c:$a10: KeyLoggerEventArgs 0x106dc:$a11: KeyLoggerEventArgsEventHandler
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0x26081:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0x263a9:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0x25e0a:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0x25f2b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x26097:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x279fc:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x276ad:$a8: GetOutlookPasswords 0x1067f:$a9: StartKeylogger 0x2749f:$a9: StartKeylogger 0x10b2c:$a10: KeyLoggerEventArgs 0x2794c:$a10: KeyLoggerEventArgs 0x106dc:$a11: KeyLoggerEventArgsEventHandler 0x274fc:$a11: KeyLoggerEventArgsEventHandler
0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2b0d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a5d1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x2a8df:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data 0x2b6d7:$a5: \Kometa\User Data\Default\Login Data
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe, ParentProcessId: 6112, ParentProcessName: BAO SHUN Vessel Particulars.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ProcessId: 4092, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\fiqzBuW.exe, ParentImage: C:\Users\user\AppData\Roaming\fiqzBuW.exe, ParentProcessId: 7348, ParentProcessName: fiqzBuW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp", ProcessId: 7484, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe, ParentProcessId: 6112, ParentProcessName: BAO SHUN Vessel Particulars.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", ProcessId: 5080, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe, ParentProcessId: 6112, ParentProcessName: BAO SHUN Vessel Particulars.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ProcessId: 4092, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe", ParentImage: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe, ParentProcessId: 6112, ParentProcessName: BAO SHUN Vessel Particulars.docx.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp", ProcessId: 5080, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T03:55:16.131099+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.8.169	80	TCP
2025-02-19T03:55:19.646799+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe

ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Source: BAO SHUN Vessel Particulars.docx.scr.exe	Virustotal: Detection: 23%			Perma Link
Source: BAO SHUN Vessel Particulars.docx.scr.exe	ReversingLabs: Detection: 16%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCA2C1h	9_2_02CCA010
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCA88Ah	9_2_02CCA470
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCA88Ah	9_2_02CCA7CA
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCA88Ah	9_2_02CCA7B7
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCA88Ah	9_2_02CCA461
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCEF20h	9_2_02CCEB00
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCF378h	9_2_02CCF0D0
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCF7D0h	9_2_02CCF528
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 4x nop then jmp 02CCFC28h	9_2_02CCF980
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0A431h	15_2_00E0A180
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0ACD0h	15_2_00E0A8B8
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0ACD0h	15_2_00E0A8B4
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0EB40h	15_2_00E0E898
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0ACD0h	15_2_00E0ABFE
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0EF98h	15_2_00E0ECF0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0F3F0h	15_2_00E0F148
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0F848h	15_2_00E0F5A0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 4x nop then jmp 00E0FCA0h	15_2_00E0F9F8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2086167662.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2124925059.000000000332C000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgx

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.fiqzBuW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 0_2_0291DA5C	0_2_0291DA5C
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCA010	9_2_02CCA010
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCA000	9_2_02CCA000
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCEB00	9_2_02CCEB00
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CC2DD1	9_2_02CC2DD1
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF0C0	9_2_02CCF0C0
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF0D0	9_2_02CCF0D0
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF518	9_2_02CCF518
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF528	9_2_02CCF528
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF980	9_2_02CCF980
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Code function: 9_2_02CCF970	9_2_02CCF970
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_02FADA5C	10_2_02FADA5C
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_058151C4	10_2_058151C4
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_0581D0CF	10_2_0581D0CF
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_0581B9E8	10_2_0581B9E8
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_0581F5D0	10_2_0581F5D0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_05816462	10_2_05816462
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0A180	15_2_00E0A180
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E02DD1	15_2_00E02DD1
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0A16F	15_2_00E0A16F
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0E897	15_2_00E0E897
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0E898	15_2_00E0E898
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0ECE0	15_2_00E0ECE0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0ECF0	15_2_00E0ECF0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F141	15_2_00E0F141
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F148	15_2_00E0F148
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F5A0	15_2_00E0F5A0
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F590	15_2_00E0F590
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F9E9	15_2_00E0F9E9
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 15_2_00E0F9F8	15_2_00E0F9F8

Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2098286462.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2082606533.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2086167662.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2093099793.00000000053D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000000.2047150195.000000000069A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezYxw.exeH vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3290217097.0000000000F37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BAO SHUN Vessel Particulars.docx.scr.exe
Source: BAO SHUN Vessel Particulars.docx.scr.exe	Binary or memory string: OriginalFilenamezYxw.exeH vs BAO SHUN Vessel Particulars.docx.scr.exe

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.fiqzBuW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: BAO SHUN Vessel Particulars.docx.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fiqzBuW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, LVS8hTotvaPUWa475K.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File created: C:\Users\user\AppData\Roaming\fiqzBuW.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Mutant created: \Sessions\1\BaseNamedObjects\pUJrQpfDGEmKmlejBOdJyHqveLO
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3B32.tmp

Jump to behavior

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3294964364.0000000003EFD000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BAO SHUN Vessel Particulars.docx.scr.exe	Virustotal: Detection: 23%
Source: BAO SHUN Vessel Particulars.docx.scr.exe	ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File read: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe C:\Users\user\AppData\Roaming\fiqzBuW.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, LVS8hTotvaPUWa475K.cs	.Net Code: OjF4ItAP3C System.Reflection.Assembly.Load(byte[])
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.53d0000.4.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, LVS8hTotvaPUWa475K.cs	.Net Code: OjF4ItAP3C System.Reflection.Assembly.Load(byte[])
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, LVS8hTotvaPUWa475K.cs	.Net Code: OjF4ItAP3C System.Reflection.Assembly.Load(byte[])

Source: BAO SHUN Vessel Particulars.docx.scr.exe

Static PE information: 0x9C25BD6A [Sun Jan 5 19:43:38 2053 UTC]

Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_02FAF288 pushfd ; iretd		10_2_02FAF291
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Code function: 10_2_05811598 pushfd ; iretd		10_2_058115A9

Source: BAO SHUN Vessel Particulars.docx.scr.exe	Static PE information: section name: .text entropy: 7.646167961522776
Source: fiqzBuW.exe.0.dr	Static PE information: section name: .text entropy: 7.646167961522776

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, P0IXSup4p02kjJ49gD.cs	High entropy of concatenated method names: 'uBGtiJYZ2p', 'nHbtHJXlRC', 'Xbit5k4sH2', 'jAwtsZf2S5', 'OhftoFogOo', 'Qms5m7U08m', 's1F5BAgDeN', 'gWW5PhY9pd', 'l6O5n4fxJZ', 'BlB5epqBWT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, HNwMH4ed2YigDOOKEj.cs	High entropy of concatenated method names: 'meq7pW6teZ', 'WmO7LDrTSg', 'XhD7bXDsA5', 'qaD79lE6Pf', 'qsv7cQ721L', 'QWo70Y5J5i', 'O8u7dQai9e', 'bbB7OiljIN', 'hV37X6S9SL', 'Ha97ECNYpV'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, UWgwloXvSK8ou7fLlM.cs	High entropy of concatenated method names: 'R9fsxXc9vO', 'TwhsSOPZKu', 'W5vsIIweER', 'NBEshbOGZD', 'wtFsvfr0UW', 'zR5sJuQiLO', 'UEXsFy2jZf', 'XHKs1v9g2H', 'IaXslox8Ws', 'WppsTeF8ca'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Xbk6jOVUY668JJkYhn.cs	High entropy of concatenated method names: 'l4PIlWSag', 'BMRhJm6XY', 'MUGJnjPdw', 'VsaFcp1BL', 'jPhlZniNv', 'ANiToOKkB', 'IaUnrxN95VeId99W4W', 'PHj48PbJTNU3udxKtZ', 'DGi6O7KRc', 'vUUK6e4NT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Lj0LUig3tlMOspVnHp.cs	High entropy of concatenated method names: 'm52k1eBa0Q', 'tSxkloCyA0', 'T2PkpcJDbD', 'fmGkLvRib5', 'E06k9wYtkE', 'jwfkchpx2C', 'bojkdkcNN7', 'cOGkODpHMW', 'siukE3WK3p', 'UNLkCduGym'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, PrHx94YA8538pRt2PM.cs	High entropy of concatenated method names: 'ToString', 't1mrCQNqVh', 'vxFrL8fQw0', 'NytrbS20Pl', 'D0pr9plC0Y', 'gmerc1Khed', 'XQIr0TE19R', 'ogOrd5VCoZ', 'BperONtVEc', 'XNdrXG7wlZ'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, z6pXfD4H88WcpUDwVY.cs	High entropy of concatenated method names: 'PUFAsbcc8H', 'zRdAo5SNZ0', 'hYFARHKdUC', 'B6RAUN6qpV', 'vLPAaNgD0I', 'NSuAr4p02k', 'UDMeM3rJMU1O9Reg5P', 'xxjLJLsfOAEYVye8Ec', 'VwaAAWPBwv', 'fl7AqjoAgB'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, FMBXlQAAa5fPM30JR4m.cs	High entropy of concatenated method names: 'QkaK3S1xvw', 'xQWKzPuBQe', 'I5jMGRyHP3', 'C4yMAmKFVy', 'NhDMVNe2Ly', 'twfMqc8VBs', 'nfAM4q1tv2', 'VJTMiuQakN', 'NZGMwFnaiA', 'FwCMHHWFj8'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, JJ5NZ7A4KQYm1IyWrRi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'du3N7nyxTJ', 'keNNK4hfSv', 'jMBNMDfbdl', 'LWqNNnI35a', 'Dv1NuxjDYw', 'ndoN8kqo08', 'ECPNWrE9fa'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Rnhs6IjQbN1Pb2He81.cs	High entropy of concatenated method names: 'D0eaElsJ6J', 'rR8aDeVKOH', 'jarajHkhIb', 'LNfafFmmw8', 'sJPaL7Okld', 'KHyabxMqtT', 'ycwa9PhauK', 'U1raco8RI9', 'QN1a0KGF5d', 'xBBadclhN3'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, ouaAYQlYFHKdUCJ6RN.cs	High entropy of concatenated method names: 'qADQhorIBl', 'LAvQJhiMTo', 'HWQQ1V9WVC', 'zU4Ql24uKB', 'OEXQaVYVkp', 'NtvQrwyUOY', 'ci6QyKniJQ', 'BVxQ6GMqaE', 'sN0Q7kqWsc', 'r3eQKh8xV7'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	High entropy of concatenated method names: 'PrOHjQ3QOr', 'p4FHfovV9E', 'nv3HYgyJaE', 'H3DH25x1YY', 'BZkHmlGj5Z', 'vWuHBWUys8', 'EXqHPPQmFu', 'GruHn4pjdx', 'KmHHewQgIc', 'UFAH3xVTSU'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, c2ots2B9TQnBGNYlB6.cs	High entropy of concatenated method names: 'H0KynZ75hX', 'omFy3wGOsp', 'cXr6GCGXne', 'SMi6AbE9di', 'mTxyCipoDH', 'CyZyDoPSPw', 'UThygWQVYH', 'Ip8yjtlAkv', 'DpayfOpNZf', 'nPtyYOR94a'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, LVS8hTotvaPUWa475K.cs	High entropy of concatenated method names: 'zFpqicOd7n', 'c4yqwB6w2x', 'h2qqHtpg0f', 'RIKqQQH137', 'DJsq5uIRGO', 'JL0qtJkaM1', 'Fk4qsFIT9V', 'WCKqoxuutY', 'fLxqZpGM20', 'BsCqRkXuPf'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, a3GFqKHwTmvgo0snWB.cs	High entropy of concatenated method names: 'Dispose', 'PUKAe2Cuo1', 'GZ2VLQGIww', 'hDwSuy66jB', 'SDVA3dVJNO', 't1CAzAe7FN', 'ProcessDialogKey', 'WWbVGNwMH4', 'K2YVAigDOO', 'sEjVV0EXYK'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, hhTNGJPZ0gUK2Cuo1Y.cs	High entropy of concatenated method names: 'rkQ7a8a4wU', 'Qmd7yJbC8e', 'spc77N0Xka', 'ybW7M8tIAR', 'WNk7urSSob', 'UhB7WKVqZw', 'Dispose', 'V456wZfqgQ', 'W6m6HYifIA', 'tKC6Q5titq'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, C6GwZjdAjFp0eODZjR.cs	High entropy of concatenated method names: 'h9WswyqG01', 'UhDsQX6iox', 'mi6stS1NDw', 'b0jt37y8oY', 'Wh6tzcufoK', 'VPWsGWAFPa', 'v3FsAZcpfj', 'B1MsVTpm2t', 'NiIsqic6Rb', 'MH9s4lfsJP'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.435baf0.0.raw.unpack, BEScx0zPhsoTHjxHKR.cs	High entropy of concatenated method names: 'nFWKJZSCaV', 'HrVK1yIXCn', 'A12KlkLAri', 'fQ2KpOYW5b', 'JRYKLXB9yX', 'Gm5K9aUwa3', 'sS4KcLxHC7', 'mAxKWiKURf', 'nRhKxstZuK', 'xjLKSZjngq'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, P0IXSup4p02kjJ49gD.cs	High entropy of concatenated method names: 'uBGtiJYZ2p', 'nHbtHJXlRC', 'Xbit5k4sH2', 'jAwtsZf2S5', 'OhftoFogOo', 'Qms5m7U08m', 's1F5BAgDeN', 'gWW5PhY9pd', 'l6O5n4fxJZ', 'BlB5epqBWT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, HNwMH4ed2YigDOOKEj.cs	High entropy of concatenated method names: 'meq7pW6teZ', 'WmO7LDrTSg', 'XhD7bXDsA5', 'qaD79lE6Pf', 'qsv7cQ721L', 'QWo70Y5J5i', 'O8u7dQai9e', 'bbB7OiljIN', 'hV37X6S9SL', 'Ha97ECNYpV'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, UWgwloXvSK8ou7fLlM.cs	High entropy of concatenated method names: 'R9fsxXc9vO', 'TwhsSOPZKu', 'W5vsIIweER', 'NBEshbOGZD', 'wtFsvfr0UW', 'zR5sJuQiLO', 'UEXsFy2jZf', 'XHKs1v9g2H', 'IaXslox8Ws', 'WppsTeF8ca'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Xbk6jOVUY668JJkYhn.cs	High entropy of concatenated method names: 'l4PIlWSag', 'BMRhJm6XY', 'MUGJnjPdw', 'VsaFcp1BL', 'jPhlZniNv', 'ANiToOKkB', 'IaUnrxN95VeId99W4W', 'PHj48PbJTNU3udxKtZ', 'DGi6O7KRc', 'vUUK6e4NT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Lj0LUig3tlMOspVnHp.cs	High entropy of concatenated method names: 'm52k1eBa0Q', 'tSxkloCyA0', 'T2PkpcJDbD', 'fmGkLvRib5', 'E06k9wYtkE', 'jwfkchpx2C', 'bojkdkcNN7', 'cOGkODpHMW', 'siukE3WK3p', 'UNLkCduGym'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, PrHx94YA8538pRt2PM.cs	High entropy of concatenated method names: 'ToString', 't1mrCQNqVh', 'vxFrL8fQw0', 'NytrbS20Pl', 'D0pr9plC0Y', 'gmerc1Khed', 'XQIr0TE19R', 'ogOrd5VCoZ', 'BperONtVEc', 'XNdrXG7wlZ'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, z6pXfD4H88WcpUDwVY.cs	High entropy of concatenated method names: 'PUFAsbcc8H', 'zRdAo5SNZ0', 'hYFARHKdUC', 'B6RAUN6qpV', 'vLPAaNgD0I', 'NSuAr4p02k', 'UDMeM3rJMU1O9Reg5P', 'xxjLJLsfOAEYVye8Ec', 'VwaAAWPBwv', 'fl7AqjoAgB'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, FMBXlQAAa5fPM30JR4m.cs	High entropy of concatenated method names: 'QkaK3S1xvw', 'xQWKzPuBQe', 'I5jMGRyHP3', 'C4yMAmKFVy', 'NhDMVNe2Ly', 'twfMqc8VBs', 'nfAM4q1tv2', 'VJTMiuQakN', 'NZGMwFnaiA', 'FwCMHHWFj8'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, JJ5NZ7A4KQYm1IyWrRi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'du3N7nyxTJ', 'keNNK4hfSv', 'jMBNMDfbdl', 'LWqNNnI35a', 'Dv1NuxjDYw', 'ndoN8kqo08', 'ECPNWrE9fa'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Rnhs6IjQbN1Pb2He81.cs	High entropy of concatenated method names: 'D0eaElsJ6J', 'rR8aDeVKOH', 'jarajHkhIb', 'LNfafFmmw8', 'sJPaL7Okld', 'KHyabxMqtT', 'ycwa9PhauK', 'U1raco8RI9', 'QN1a0KGF5d', 'xBBadclhN3'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, ouaAYQlYFHKdUCJ6RN.cs	High entropy of concatenated method names: 'qADQhorIBl', 'LAvQJhiMTo', 'HWQQ1V9WVC', 'zU4Ql24uKB', 'OEXQaVYVkp', 'NtvQrwyUOY', 'ci6QyKniJQ', 'BVxQ6GMqaE', 'sN0Q7kqWsc', 'r3eQKh8xV7'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	High entropy of concatenated method names: 'PrOHjQ3QOr', 'p4FHfovV9E', 'nv3HYgyJaE', 'H3DH25x1YY', 'BZkHmlGj5Z', 'vWuHBWUys8', 'EXqHPPQmFu', 'GruHn4pjdx', 'KmHHewQgIc', 'UFAH3xVTSU'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, c2ots2B9TQnBGNYlB6.cs	High entropy of concatenated method names: 'H0KynZ75hX', 'omFy3wGOsp', 'cXr6GCGXne', 'SMi6AbE9di', 'mTxyCipoDH', 'CyZyDoPSPw', 'UThygWQVYH', 'Ip8yjtlAkv', 'DpayfOpNZf', 'nPtyYOR94a'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, LVS8hTotvaPUWa475K.cs	High entropy of concatenated method names: 'zFpqicOd7n', 'c4yqwB6w2x', 'h2qqHtpg0f', 'RIKqQQH137', 'DJsq5uIRGO', 'JL0qtJkaM1', 'Fk4qsFIT9V', 'WCKqoxuutY', 'fLxqZpGM20', 'BsCqRkXuPf'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, a3GFqKHwTmvgo0snWB.cs	High entropy of concatenated method names: 'Dispose', 'PUKAe2Cuo1', 'GZ2VLQGIww', 'hDwSuy66jB', 'SDVA3dVJNO', 't1CAzAe7FN', 'ProcessDialogKey', 'WWbVGNwMH4', 'K2YVAigDOO', 'sEjVV0EXYK'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, hhTNGJPZ0gUK2Cuo1Y.cs	High entropy of concatenated method names: 'rkQ7a8a4wU', 'Qmd7yJbC8e', 'spc77N0Xka', 'ybW7M8tIAR', 'WNk7urSSob', 'UhB7WKVqZw', 'Dispose', 'V456wZfqgQ', 'W6m6HYifIA', 'tKC6Q5titq'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, C6GwZjdAjFp0eODZjR.cs	High entropy of concatenated method names: 'h9WswyqG01', 'UhDsQX6iox', 'mi6stS1NDw', 'b0jt37y8oY', 'Wh6tzcufoK', 'VPWsGWAFPa', 'v3FsAZcpfj', 'B1MsVTpm2t', 'NiIsqic6Rb', 'MH9s4lfsJP'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.6eb0000.5.raw.unpack, BEScx0zPhsoTHjxHKR.cs	High entropy of concatenated method names: 'nFWKJZSCaV', 'HrVK1yIXCn', 'A12KlkLAri', 'fQ2KpOYW5b', 'JRYKLXB9yX', 'Gm5K9aUwa3', 'sS4KcLxHC7', 'mAxKWiKURf', 'nRhKxstZuK', 'xjLKSZjngq'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, P0IXSup4p02kjJ49gD.cs	High entropy of concatenated method names: 'uBGtiJYZ2p', 'nHbtHJXlRC', 'Xbit5k4sH2', 'jAwtsZf2S5', 'OhftoFogOo', 'Qms5m7U08m', 's1F5BAgDeN', 'gWW5PhY9pd', 'l6O5n4fxJZ', 'BlB5epqBWT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, HNwMH4ed2YigDOOKEj.cs	High entropy of concatenated method names: 'meq7pW6teZ', 'WmO7LDrTSg', 'XhD7bXDsA5', 'qaD79lE6Pf', 'qsv7cQ721L', 'QWo70Y5J5i', 'O8u7dQai9e', 'bbB7OiljIN', 'hV37X6S9SL', 'Ha97ECNYpV'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, UWgwloXvSK8ou7fLlM.cs	High entropy of concatenated method names: 'R9fsxXc9vO', 'TwhsSOPZKu', 'W5vsIIweER', 'NBEshbOGZD', 'wtFsvfr0UW', 'zR5sJuQiLO', 'UEXsFy2jZf', 'XHKs1v9g2H', 'IaXslox8Ws', 'WppsTeF8ca'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Xbk6jOVUY668JJkYhn.cs	High entropy of concatenated method names: 'l4PIlWSag', 'BMRhJm6XY', 'MUGJnjPdw', 'VsaFcp1BL', 'jPhlZniNv', 'ANiToOKkB', 'IaUnrxN95VeId99W4W', 'PHj48PbJTNU3udxKtZ', 'DGi6O7KRc', 'vUUK6e4NT'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Lj0LUig3tlMOspVnHp.cs	High entropy of concatenated method names: 'm52k1eBa0Q', 'tSxkloCyA0', 'T2PkpcJDbD', 'fmGkLvRib5', 'E06k9wYtkE', 'jwfkchpx2C', 'bojkdkcNN7', 'cOGkODpHMW', 'siukE3WK3p', 'UNLkCduGym'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, PrHx94YA8538pRt2PM.cs	High entropy of concatenated method names: 'ToString', 't1mrCQNqVh', 'vxFrL8fQw0', 'NytrbS20Pl', 'D0pr9plC0Y', 'gmerc1Khed', 'XQIr0TE19R', 'ogOrd5VCoZ', 'BperONtVEc', 'XNdrXG7wlZ'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, z6pXfD4H88WcpUDwVY.cs	High entropy of concatenated method names: 'PUFAsbcc8H', 'zRdAo5SNZ0', 'hYFARHKdUC', 'B6RAUN6qpV', 'vLPAaNgD0I', 'NSuAr4p02k', 'UDMeM3rJMU1O9Reg5P', 'xxjLJLsfOAEYVye8Ec', 'VwaAAWPBwv', 'fl7AqjoAgB'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, FMBXlQAAa5fPM30JR4m.cs	High entropy of concatenated method names: 'QkaK3S1xvw', 'xQWKzPuBQe', 'I5jMGRyHP3', 'C4yMAmKFVy', 'NhDMVNe2Ly', 'twfMqc8VBs', 'nfAM4q1tv2', 'VJTMiuQakN', 'NZGMwFnaiA', 'FwCMHHWFj8'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, JJ5NZ7A4KQYm1IyWrRi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'du3N7nyxTJ', 'keNNK4hfSv', 'jMBNMDfbdl', 'LWqNNnI35a', 'Dv1NuxjDYw', 'ndoN8kqo08', 'ECPNWrE9fa'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Rnhs6IjQbN1Pb2He81.cs	High entropy of concatenated method names: 'D0eaElsJ6J', 'rR8aDeVKOH', 'jarajHkhIb', 'LNfafFmmw8', 'sJPaL7Okld', 'KHyabxMqtT', 'ycwa9PhauK', 'U1raco8RI9', 'QN1a0KGF5d', 'xBBadclhN3'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, ouaAYQlYFHKdUCJ6RN.cs	High entropy of concatenated method names: 'qADQhorIBl', 'LAvQJhiMTo', 'HWQQ1V9WVC', 'zU4Ql24uKB', 'OEXQaVYVkp', 'NtvQrwyUOY', 'ci6QyKniJQ', 'BVxQ6GMqaE', 'sN0Q7kqWsc', 'r3eQKh8xV7'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, Cbcc8H1IRd5SNZ0S3M.cs	High entropy of concatenated method names: 'PrOHjQ3QOr', 'p4FHfovV9E', 'nv3HYgyJaE', 'H3DH25x1YY', 'BZkHmlGj5Z', 'vWuHBWUys8', 'EXqHPPQmFu', 'GruHn4pjdx', 'KmHHewQgIc', 'UFAH3xVTSU'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, c2ots2B9TQnBGNYlB6.cs	High entropy of concatenated method names: 'H0KynZ75hX', 'omFy3wGOsp', 'cXr6GCGXne', 'SMi6AbE9di', 'mTxyCipoDH', 'CyZyDoPSPw', 'UThygWQVYH', 'Ip8yjtlAkv', 'DpayfOpNZf', 'nPtyYOR94a'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, LVS8hTotvaPUWa475K.cs	High entropy of concatenated method names: 'zFpqicOd7n', 'c4yqwB6w2x', 'h2qqHtpg0f', 'RIKqQQH137', 'DJsq5uIRGO', 'JL0qtJkaM1', 'Fk4qsFIT9V', 'WCKqoxuutY', 'fLxqZpGM20', 'BsCqRkXuPf'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, a3GFqKHwTmvgo0snWB.cs	High entropy of concatenated method names: 'Dispose', 'PUKAe2Cuo1', 'GZ2VLQGIww', 'hDwSuy66jB', 'SDVA3dVJNO', 't1CAzAe7FN', 'ProcessDialogKey', 'WWbVGNwMH4', 'K2YVAigDOO', 'sEjVV0EXYK'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, hhTNGJPZ0gUK2Cuo1Y.cs	High entropy of concatenated method names: 'rkQ7a8a4wU', 'Qmd7yJbC8e', 'spc77N0Xka', 'ybW7M8tIAR', 'WNk7urSSob', 'UhB7WKVqZw', 'Dispose', 'V456wZfqgQ', 'W6m6HYifIA', 'tKC6Q5titq'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, C6GwZjdAjFp0eODZjR.cs	High entropy of concatenated method names: 'h9WswyqG01', 'UhDsQX6iox', 'mi6stS1NDw', 'b0jt37y8oY', 'Wh6tzcufoK', 'VPWsGWAFPa', 'v3FsAZcpfj', 'B1MsVTpm2t', 'NiIsqic6Rb', 'MH9s4lfsJP'
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.43b6d10.1.raw.unpack, BEScx0zPhsoTHjxHKR.cs	High entropy of concatenated method names: 'nFWKJZSCaV', 'HrVK1yIXCn', 'A12KlkLAri', 'fQ2KpOYW5b', 'JRYKLXB9yX', 'Gm5K9aUwa3', 'sS4KcLxHC7', 'mAxKWiKURf', 'nRhKxstZuK', 'xjLKSZjngq'

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

File created: C:\Users\user\AppData\Roaming\fiqzBuW.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.scr

Static PE information: BAO SHUN Vessel Particulars.docx.scr.exe

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 7A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 8A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 9C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: A180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: B180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: C180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 5170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 7BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 7780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 8BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: BF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Memory allocated: 49C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6718	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6961	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 500	Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe TID: 1200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep count: 6718 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3290523657.0000000001235000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2082606533.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: fiqzBuW.exe, 0000000F.00000002.3290439511.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllon

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Process created: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Process created: C:\Users\user\AppData\Roaming\fiqzBuW.exe "C:\Users\user\AppData\Roaming\fiqzBuW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Users\user\AppData\Roaming\fiqzBuW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Users\user\AppData\Roaming\fiqzBuW.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fiqzBuW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 15.2.fiqzBuW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3289907828.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3292936547.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3292888606.0000000003025000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7596, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39c07b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BAO SHUN Vessel Particulars.docx.scr.exe.39a9990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BAO SHUN Vessel Particulars.docx.scr.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fiqzBuW.exe PID: 7348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	13 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BAO SHUN Vessel Particulars.docx.scr.exe	24%	Virustotal		Browse
BAO SHUN Vessel Particulars.docx.scr.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\fiqzBuW.exe	16%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://reallyfreegeoip.orgx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A60000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2086167662.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2124925059.000000000332C000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.orgx	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex	BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3289913052.0000000000413000.00000040.00000400.00020000.00000000.sdmp, BAO SHUN Vessel Particulars.docx.scr.exe, 00000009.00000002.3292888606.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, fiqzBuW.exe, 0000000F.00000002.3292936547.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1618716
Start date and time:	2025-02-19 03:54:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BAO SHUN Vessel Particulars.docx.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 152 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 92.123.18.162, 13.107.246.44, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BAO SHUN Vessel Particulars.docx.scr.exe, PID 7240 because it is empty
Execution Graph export aborted for target fiqzBuW.exe, PID 7596 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:55:06	Task Scheduler	Run new task: fiqzBuW path: C:\Users\user\AppData\Roaming\fiqzBuW.exe
21:55:04	API Interceptor	1x Sleep call for process: BAO SHUN Vessel Particulars.docx.scr.exe modified
21:55:05	API Interceptor	26x Sleep call for process: powershell.exe modified
21:55:08	API Interceptor	1x Sleep call for process: fiqzBuW.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	new purchase order21125.bat.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Draft doc PI ITS15235.vbs	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	17399017864923eee8aa147822e3bb140bbbe25809ef78f182071adaecdfc4cd37ec741533789.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDlVVqet8gxlhLhd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	046s01900330081250b4057885818022025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Vejning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	jjmax il.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rJustificante67.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Purchase Order 77809 for acknowledgment.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	new purchase order21125.bat.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Quote_items1&2.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	invoice packing list.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	Draft doc PI ITS15235.vbs	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	customer request.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	17399017864923eee8aa147822e3bb140bbbe25809ef78f182071adaecdfc4cd37ec741533789.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
checkip.dyndns.com	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Purchase Order 77809 for acknowledgment.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	new purchase order21125.bat.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Quote_items1&2.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	invoice packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Draft doc PI ITS15235.vbs	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	customer request.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	17399017864923eee8aa147822e3bb140bbbe25809ef78f182071adaecdfc4cd37ec741533789.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	new purchase order21125.bat.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Draft doc PI ITS15235.vbs	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	17399017864923eee8aa147822e3bb140bbbe25809ef78f182071adaecdfc4cd37ec741533789.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PURCHASE ORDER 9828165.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	rDlVVqet8gxlhLhd.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	046s01900330081250b4057885818022025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Confirmarea comenzii.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	132.226.247.73
	Vejning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Commercial Invoice Confirmation-1132346.vbs	Get hash	malicious	Unknown	Browse	132.226.247.73
CLOUDFLARENETUS	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	#U0160iauliai.dll	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	chitanta de plata 002093940409505050960000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://www.asphaltprofessionals.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.64.146.59
	https://github.com/divinusinc/Deus/releases/download/launcher/Deus.Launcher.exe	Get hash	malicious	Unknown	Browse	172.67.214.1
	https://rnicrosoft-secured-office.squarespace.com/sharepointcoc?e=bob_smith@gmail.com	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://newtravels981.weebly.com/log-in-whatsapp.html	Get hash	malicious	Unknown	Browse	104.18.86.42
	#U5b5f#U8f69#U7f511.0 64#U4f4d.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://ashmithraj069.github.io/Amazon-Clone/	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://cdn.trytraffics.com/rdr/YWE9MzgxNDI0MTA5JnNlaT0zMDM3MTQwMSZ0az1xQklmYXVLY0hmQ2dubEg3NmpaZCZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	VSVy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Purchase Order 77809 for acknowledgment.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Swift Copy_18.02.2025.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	new purchase order21125.bat.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Quote_items1&2.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	invoice packing list.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Draft doc PI ITS15235.vbs	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	customer request.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	17399017864923eee8aa147822e3bb140bbbe25809ef78f182071adaecdfc4cd37ec741533789.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiqzBuW.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
MD5:	4D3B8C97355CF67072ABECB12613F72B
SHA1:	07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
SHA-256:	75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
SHA-512:	8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0iyz3pby.i2j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k3o3uoy.tlg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lzzkftb.ydx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epqasqzj.pak.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fahfmdpk.lyz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrohmhwt.xvw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4mbd4g1.wtr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrcpkuo1.00k.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp3B32.tmp

Download File

Process:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.105614459778028
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgergYrFdOFzOzN33ODOiDdKrsuTiv
MD5:	C45E847F9F495D5B0FD7C25CBE4260F9
SHA1:	587340EF344E5CA137E437997D75D4E27408F0F7
SHA-256:	60C40AD640AE54955FDFCAC6B63AF041B710B9BE075BBC5F285508E05CFF427D
SHA-512:	996E48A7272530CDA1AC180D8600E513007CE80C381EC11D78BEDE3B9C730BC94967657CC822000C8EB316257FB6B9E0CAFEC363BE50E7AE54625E20ACB62A9D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp4813.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.105614459778028
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgergYrFdOFzOzN33ODOiDdKrsuTiv
MD5:	C45E847F9F495D5B0FD7C25CBE4260F9
SHA1:	587340EF344E5CA137E437997D75D4E27408F0F7
SHA-256:	60C40AD640AE54955FDFCAC6B63AF041B710B9BE075BBC5F285508E05CFF427D
SHA-512:	996E48A7272530CDA1AC180D8600E513007CE80C381EC11D78BEDE3B9C730BC94967657CC822000C8EB316257FB6B9E0CAFEC363BE50E7AE54625E20ACB62A9D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\fiqzBuW.exe

Download File

Process:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	623104
Entropy (8bit):	7.637020030047087
Encrypted:	false
SSDEEP:	12288:RUvbnb4yA0zEbqmcfgeDkebOsBo5RBZRJqF0:GJnafc14mOsK1wF
MD5:	69770CA275FC4A6E5C00E9CAE0983ECB
SHA1:	C39FDDCA5A4C2611295934B6169E8760A91774C4
SHA-256:	B6D1BBC15F5AE144E4801F8188CBE4768F3BA42E2C4DD56F42A7FA5EC9638460
SHA-512:	5B5F97A924750F8533F5E9EE5E573DE855FB447F8521D1787817037106B54F3648021C89B2CC56764E96619F5C0759DAA1F7977462C7AE4136A984F6238CA1EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.%...............0..p..........6.... ........@.. ....................................`....................................O.......$........................................................................... ............... ..H............text...<n... ...p.................. ..`.rsrc...$............r..............@..@.reloc..............................@..B........................H.......pm..H>......y...................................................v....`,...{.........o$.........0..s.........}....+_..}....+?..{.....{....(......3..{.......{.....{....o$.......{.....X}.....{.....2...{.....X}.....{.....2..J.s'...}.....(....v....`,...{.........o&.......0..t.........}....+`..}....+@..{.....{....(.....3..{.......{.....{....o&........{.....X}.....{.....2...{.....X}.....{.....2..J.s'...}.....(....6.(.....(........0..1..........{....o....sd......(..

C:\Users\user\AppData\Roaming\fiqzBuW.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.637020030047087
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	BAO SHUN Vessel Particulars.docx.scr.exe
File size:	623'104 bytes
MD5:	69770ca275fc4a6e5c00e9cae0983ecb
SHA1:	c39fddca5a4c2611295934b6169e8760a91774c4
SHA256:	b6d1bbc15f5ae144e4801f8188cbe4768f3ba42e2c4dd56f42a7fa5ec9638460
SHA512:	5b5f97a924750f8533f5e9ee5e573de855fb447f8521d1787817037106b54f3648021c89b2cc56764e96619f5c0759daa1f7977462c7ae4136a984f6238ca1ee
SSDEEP:	12288:RUvbnb4yA0zEbqmcfgeDkebOsBo5RBZRJqF0:GJnafc14mOsK1wF
TLSH:	01D4CEE03B36731ADE699974D158DDB582F51E68B101FAE2A9DC3F87358C2129E0CF42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.%...............0..p..........6.... ........@.. ....................................`................................

File Icon


Icon Hash:	9898a6a698a62688

Static PE Info

General

Entrypoint:	0x498d36
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9C25BD6A [Sun Jan 5 19:43:38 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 06000000h
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98ce4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0xd24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x98cc8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x96e3c	0x97000	ebc5491bf08e20fff9776ffcd85897e6	False	0.8493797858029801	data	7.646167961522776	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0xd24	0xe00	07122df9e8e9ea3c2684b2095a123db8	False	0.36802455357142855	data	5.672623981415356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	06fb1f478c983b29ff83b575bb797c69	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9a0c8	0x8ed	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.3846827133479212
RT_GROUP_ICON	0x9a9c8	0x14	data	1.05
RT_VERSION	0x9a9ec	0x334	data	0.4317073170731707

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Sakk Alkalmazs 2.0
FileVersion	1.0.0.0
InternalName	zYxw.exe
LegalCopyright	Copyright 2021
LegalTrademarks
OriginalFilename	zYxw.exe
ProductName	Sakk Alkalmazs 2.0
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-19T03:55:16.131099+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.8.169	80	TCP
2025-02-19T03:55:19.646799+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49709	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 03:55:07.965645075 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:07.971723080 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:07.971935987 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:07.972276926 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:07.977298021 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:10.973475933 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:10.979388952 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:10.979499102 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:10.979659081 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:10.984714985 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:14.881493092 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:14.886099100 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:14.891102076 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:16.080076933 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:16.090260983 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.090352058 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.090444088 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.095921993 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.095959902 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.131098986 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:16.580883026 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.581104994 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.586704969 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.586719990 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.587275028 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.631207943 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.639048100 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.679342985 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.767855883 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.767983913 CET	443	49711	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:16.768141031 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:16.774616957 CET	49711	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:18.079991102 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:18.102127075 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:18.107399940 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:19.592170954 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:55:19.594046116 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:19.594156027 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:19.594343901 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:19.597980976 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:19.598022938 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:19.646799088 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:55:20.074484110 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.074719906 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:20.076112986 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:20.076143980 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.076400995 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.114393950 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:20.155369043 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.232882023 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.232929945 CET	443	49712	104.21.112.1	192.168.2.5
Feb 19, 2025 03:55:20.232999086 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:55:20.235861063 CET	49712	443	192.168.2.5	104.21.112.1
Feb 19, 2025 03:56:21.084400892 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:56:21.084681034 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:56:24.592490911 CET	80	49709	132.226.8.169	192.168.2.5
Feb 19, 2025 03:56:24.592694998 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:56:56.085280895 CET	49706	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:56:56.090579987 CET	80	49706	132.226.8.169	192.168.2.5
Feb 19, 2025 03:56:59.600893021 CET	49709	80	192.168.2.5	132.226.8.169
Feb 19, 2025 03:56:59.606162071 CET	80	49709	132.226.8.169	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 03:55:07.946759939 CET	54478	53	192.168.2.5	1.1.1.1
Feb 19, 2025 03:55:07.955387115 CET	53	54478	1.1.1.1	192.168.2.5
Feb 19, 2025 03:55:16.081681967 CET	51606	53	192.168.2.5	1.1.1.1
Feb 19, 2025 03:55:16.089591026 CET	53	51606	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 19, 2025 03:55:07.946759939 CET	192.168.2.5	1.1.1.1	0x47f0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.081681967 CET	192.168.2.5	1.1.1.1	0x82cc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:07.955387115 CET	1.1.1.1	192.168.2.5	0x47f0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 19, 2025 03:55:16.089591026 CET	1.1.1.1	192.168.2.5	0x82cc	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	132.226.8.169	80	7240	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 03:55:07.972276926 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 03:55:14.881493092 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:55:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 19, 2025 03:55:14.886099100 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 19, 2025 03:55:16.080076933 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:55:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	132.226.8.169	80	7596	C:\Users\user\AppData\Roaming\fiqzBuW.exe

Timestamp	Bytes transferred	Direction	Data
Feb 19, 2025 03:55:10.979659081 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 19, 2025 03:55:18.079991102 CET	697	IN	HTTP/1.1 504 Gateway Time-out Date: Wed, 19 Feb 2025 02:55:17 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Feb 19, 2025 03:55:18.102127075 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 19, 2025 03:55:19.592170954 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:55:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	104.21.112.1	443	7240	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 02:55:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 02:55:16 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:55:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 165485 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAzYDDsCy8f%2FNYcT5F2%2B%2BZMCziEVHJubj8XGJ5HpstDPQAfaUUqVs4XxTvjeyAgXcZuAKKAWJkR9MZfPbhPMvOIq1G5bofIJhl1cOUdc2q10puad0g0BvtHqjr8VLKXHfpDRIKNZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9142fa215c0f424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1571&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1822721&cwnd=250&unsent_bytes=0&cid=622febbf7922c877&ts=209&x=0"
2025-02-19 02:55:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	104.21.112.1	443	7596	C:\Users\user\AppData\Roaming\fiqzBuW.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-19 02:55:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-19 02:55:20 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:55:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 165488 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 17 Feb 2025 04:57:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PeiLm28zYlHZRw%2BYAi6sDjtX9k82Q89MImzMmbvsUW3CkCGY4rP6XhKuKN2F0Zr9UxfAmU%2BR52HTCmowQBI6lztrF5q1IfhBG87TUR9MfYiMIlzEksOj3HZfy4B8o2rpCLZ5npxQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9142fa370bd40f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1641&rtt_var=628&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1779402&cwnd=224&unsent_bytes=0&cid=36b71ef918bc2021&ts=165&x=0"
2025-02-19 02:55:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	21:55:04
Start date:	18/02/2025
Path:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Imagebase:	0x600000
File size:	623'104 bytes
MD5 hash:	69770CA275FC4A6E5C00E9CAE0983ECB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2087573558.0000000004452000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2087573558.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Imagebase:	0x680000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Imagebase:	0x680000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp3B32.tmp"
Imagebase:	0x2d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:55:05
Start date:	18/02/2025
Path:	C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BAO SHUN Vessel Particulars.docx.scr.exe"
Imagebase:	0xae0000
File size:	623'104 bytes
MD5 hash:	69770CA275FC4A6E5C00E9CAE0983ECB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3292888606.0000000003025000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	21:55:06
Start date:	18/02/2025
Path:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
Imagebase:	0xda0000
File size:	623'104 bytes
MD5 hash:	69770CA275FC4A6E5C00E9CAE0983ECB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2127162650.0000000004C43000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 16%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:55:07
Start date:	18/02/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:55:08
Start date:	18/02/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiqzBuW" /XML "C:\Users\user\AppData\Local\Temp\tmp4813.tmp"
Imagebase:	0x2d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:55:08
Start date:	18/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:55:09
Start date:	18/02/2025
Path:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Imagebase:	0x320000
File size:	623'104 bytes
MD5 hash:	69770CA275FC4A6E5C00E9CAE0983ECB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:55:09
Start date:	18/02/2025
Path:	C:\Users\user\AppData\Roaming\fiqzBuW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fiqzBuW.exe"
Imagebase:	0x620000
File size:	623'104 bytes
MD5 hash:	69770CA275FC4A6E5C00E9CAE0983ECB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3289907828.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3292936547.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BAO SHUN Vessel Particulars.docx.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BAO SHUN Vessel Particulars.docx.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fiqzBuW.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0iyz3pby.i2j.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k3o3uoy.tlg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lzzkftb.ydx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epqasqzj.pak.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fahfmdpk.lyz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrohmhwt.xvw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4mbd4g1.wtr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrcpkuo1.00k.psm1

C:\Users\user\AppData\Local\Temp\tmp3B32.tmp

Windows Analysis Report
BAO SHUN Vessel Particulars.docx.scr.exe